Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 216887 (CVE-2008-1720) - net-misc/rsync <2.6.9-r6 xattr Integer overflow (CVE-2008-1720)
Summary: net-misc/rsync <2.6.9-r6 xattr Integer overflow (CVE-2008-1720)
Status: RESOLVED FIXED
Alias: CVE-2008-1720
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://samba.anu.edu.au/rsync/securit...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-08 15:26 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-21 08:01 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 15:26:09 UTC
integer overflow -> heap-based buffer overflow on rsync 3.0  and later, only when xattr is enabled.

This issue is currently under embargo until rsync upstream announces the fix.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 16:21:23 UTC
Tomas Hoger:
Seems that the code that is fixed by your patch is included in
rsync-2.6.9/patches/acls.diff, so it seems it may be used by 2.6.9 as
well.
Comment 2 SpanKY gentoo-dev 2008-04-08 17:29:13 UTC
rsync-3.0.2 was released with the fix and in the tree
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 18:40:10 UTC
Vapier, thanks for noting this.

2.6.9 also needs to be fixed because it applies the xattr patches. Or should 3.0.2 go through straight stabling?
http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff
Comment 4 SpanKY gentoo-dev 2008-04-10 03:38:47 UTC
while i dont have a problem with rsync-3.0.2 going stable, it may be a little too soon for the rsync-3 series

rsync-2.6.9-r6 in the tree with the upstream fix
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-04-10 09:05:07 UTC
Arches, please test and mark stable:
=net-misc/rsync-2.6.9-r6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Comment 6 Dawid Węgliński (RETIRED) gentoo-dev 2008-04-10 17:11:48 UTC
On x86:

    rsync 2.6.9 configuration successful

make
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c rsync.c -o rsync.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c generator.c -o generator.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c receiver.c -o receiver.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c cleanup.c -o cleanup.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c sender.c -o sender.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c exclude.c -o exclude.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m -fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c util.c -o util.o
util.c:1264: error: conflicting types for '_realloc_array'
proto.h:325: error: previous declaration of '_realloc_array' was here
make: *** [util.o] Error 1

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-tuxonice-r10 i686)
=================================================================
System uname: 2.6.23-tuxonice-r10 i686 Intel(R) Celeron(R) M processor 1.50GHz
Timestamp of tree: Thu, 10 Apr 2008 12:45:03 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9, 2.5.1-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 2.0.0
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium-m -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer parallel-fetch sandbox sfperms sign strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.virginmedia.com/ ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.tiscali.nl/"
LC_ALL="en_GB.UTF-8"
LINGUAS="pl en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl acpi alsa berkdb cairo cdr cli cracklib crypt dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv ipv6 isdnlog jpeg kde kdehiddenvisibility kerberos ldap mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection sdl session slang spell spl ssl svg tcpd tiff truetype unicode vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pl en_GB" USERLAND="GNU" VIDEO_CARDS="i810"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-10 17:37:05 UTC
ppc stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-04-10 18:19:41 UTC
alpha/ia64/sparc stable, and compiles fine on x86
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-04-10 18:35:05 UTC
ppc64 stable
Comment 10 Markus Meier gentoo-dev 2008-04-10 18:48:53 UTC
I can reproduce the failure on x86, if the acl USE-flag is set.
Comment 11 Markus Meier gentoo-dev 2008-04-10 19:18:38 UTC
amd64 stable (no acl-related problems here)
Comment 12 Jeroen Roovers gentoo-dev 2008-04-10 19:48:41 UTC
Stable for HPPA.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-10 20:40:11 UTC
base-system, please advise wrt comments #6 and #10.

btw, updating severity to major, dunno why it was on trivial.
Comment 14 Dawid Węgliński (RETIRED) gentoo-dev 2008-04-10 21:45:12 UTC
Yup, works here if USE="-acl".
Comment 15 SpanKY gentoo-dev 2008-04-12 20:30:04 UTC
odd that it builds for so many of us

should be fixed in cvs now
Comment 16 Dawid Węgliński (RETIRED) gentoo-dev 2008-04-12 22:34:51 UTC
x86 stable
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 12:02:29 UTC
A2->A1 since this affects the server too.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 12:14:34 UTC
GLSA 200804-16
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-04-21 08:01:04 UTC
Fixed in release snapshot.