Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 360891 (CVE-2011-1097) - <net-misc/rsync-3.0.8: multiple vulnerabilities (CVE-2011-1097)
Summary: <net-misc/rsync-3.0.8: multiple vulnerabilities (CVE-2011-1097)
Alias: CVE-2011-1097
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on:
Reported: 2011-03-28 09:16 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-12-12 00:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-28 09:16:28 UTC
NEWS for rsync 3.0.8 (26 Mar 2011)
Protocol: 30 (unchanged)
Changes since 3.0.7:


    - Fixed two buffer-overflow issues: one where a directory path that is
      exactly MAXPATHLEN was not handled correctly, and one handling a
      --backup-dir that is extra extra large.

    - Fixed a data-corruption issue when preserving hard-links without
      preserving file ownership, and doing deletions either before or during
      the transfer (CVE-2011-1097).  This fixes some assert errors in the
      hard-linking code, and some potential failed checksums (via -c) that
      should have matched.

    - Fixed a potential crash when an rsync daemon has a filter/exclude list
      and the transfer is using ACLs or xattrs.

    - Fixed a hang if a really large file is being processed by an rsync that
      can't handle 64-bit numbers.  Rsync will now complain about the file
      being too big and skip it.

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-28 09:18:46 UTC
Maintainers, please bump rsync to 3.0.8. If possible, please add STABLEREQ keyword, CC arches and flip the status whiteboard to "stable" after doing the bump.
Comment 2 SpanKY gentoo-dev 2011-03-28 09:30:04 UTC
in the tree now
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-28 14:34:41 UTC
(In reply to comment #2)
> in the tree now

Thank you.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-03-28 14:49:23 UTC
amd64 ok
Comment 5 Andreas Schürch gentoo-dev 2011-03-28 16:41:09 UTC
Tested on x86, looks good to go!
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-03-28 17:33:25 UTC
amd64 done, thanks Agostino
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-28 19:40:36 UTC
Stable for HPPA.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2011-03-28 20:01:30 UTC
x86 stable, thanks Andreas
Comment 9 Alex Buell 2011-03-28 20:29:03 UTC
Tested OK on SPARc, by doing syncs with Portage trees, seems to be OK. Could be stabilised.
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-29 03:56:02 UTC
ppc/ppc64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-04-02 14:30:26 UTC
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-04-02 15:18:04 UTC
Thanks, folks. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:04:32 UTC
CVE-2011-1097 (
  rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership
  options are used, allows remote rsync servers to cause a denial of service
  (heap memory corruption and application crash) or possibly execute arbitrary
  code via malformed data.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:26 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at
by GLSA coordinator Sean Amoss (ackle).