Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 636714 (CVE-2017-16548)

Summary: <net-misc/rsync-3.1.2-r1: Heap-based buffer over-read in receive_xattr function (CVE-2017-16548)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.samba.org/show_bug.cgi?id=13112
See Also: https://github.com/gentoo/gentoo/pull/6206
Whiteboard: A3 [glsa+ cve]
Package list:
=net-misc/rsync-3.1.2-r1
 Runtime testing required: ---
Bug Depends on: 640570    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-06 17:53:34 UTC 
CVE-2017-16548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16548):
  The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
  does not check for a trailing '\0' character in an xattr name, which allows
  remote attackers to cause a denial of service (heap-based buffer over-read
  and application crash) or possibly have unspecified other impact by sending
  crafted data to the daemon.
Comment 1 Larry the Git Cow gentoo-dev 2017-11-14 22:40:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61f33ecb79092b9b86d8a95da0950215e6194122

commit 61f33ecb79092b9b86d8a95da0950215e6194122
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-11-14 22:40:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-11-14 22:40:01 +0000

    net-misc/rsync: Rev bump to fix CVE-2017-16548
    
    Bug: https://bugs.gentoo.org/636714
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 .../rsync/files/rsync-3.1.2-CVE-2017-16548.patch   | 17 +++++
 net-misc/rsync/rsync-3.1.2-r1.ebuild               | 89 ++++++++++++++++++++++
 2 files changed, 106 insertions(+)}
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-14 22:42:48 UTC 
@ Arches,

please test and mark stable: =net-misc/rsync-3.1.2-r1
Comment 3 Manuel RĂ¼ger (RETIRED) gentoo-dev 2017-11-15 13:55:02 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-15 23:24:51 UTC 
ppc/ppc64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-16 01:38:05 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-16 07:35:49 UTC 
ia64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-17 11:23:11 UTC 
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-18 09:32:19 UTC 
hppa is already stable by

commit 82185532b04f834a3ec3433d259323feaad694ac
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Thu Nov 16 08:58:42 2017 +0100

    net-misc/rsync: Stable for HPPA too.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-18 09:41:54 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 10 Markus Meier gentoo-dev 2017-11-19 19:46:58 UTC 
arm stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-10 19:12:20 UTC 
Superseded by bug 640570.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-16 12:20:31 UTC 
Added to an existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 03:39:32 UTC 
This issue was resolved and addressed in
 GLSA 201801-16 at https://security.gentoo.org/glsa/201801-16
by GLSA coordinator Mikle Kolyada (Zlogene).