From the rsync homepage: There is a security fix included in 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path". Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0426 to this issue. Reproducible: Always Steps to Reproduce: 1. 2. 3.
2.6.1 does not exists. 2.6.2 does however and I'll add this to the tree shortly.
*rsync-2.6.2 (30 Apr 2004) 30 Apr 2004; <solar@gentoo.org> rsync-2.6.2.ebuild: version bump for security update CAN-2004-0426, bug 49534 this version also seems to have the proxy-auth patch merged upstream, USE=acl disabled for now due to patching conflicts
Current keywords KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~hppa ~amd64 ~ia64 ~ppc64 ~s390" Arch maintainers please test and mark stable.
Stable on s390
Marked stable on mips.
Stable on x86 + amd64.
Stable on hppa.
-r1 stable on sparc
It seems this version has lost the magic that makes it look in /etc/rsync/ for rsyncd.conf (like bug 12902 ?) I'm seeing this in rsync-2.6.2-r1 on x86 and sparc64 but presumably other arch's are similarly affected. Re-adding arch's for additional QA. isengard root # grep rsync /var/log/daemon.log|tail May 2 23:23:03 isengard rsyncd[13326]: rsync: unable to open configuration file "/etc/rsyncd.conf": No such file or directory May 2 23:23:03 isengard rsyncd[13326]: rsync error: syntax or usage error (code 1) at clientserver.c(586) isengard root # qpkg rsync -c -v net-misc/rsync-2.6.2-r1 * 0/22
2.6.2 and 2.6.2-r1 both marked stable on ppc64
stable on ppc/arm just need alpha/ia64
Stable on alpha.
please mark ia64 stable
rsync-2.6.2-r2 ready for a GLSA draft -K
This issue is being handled. At present time, 2.6.2 has been added to the package.mask file, so users should stay at 2.6.0 for the time being. -jeffrey reference bug 49933
bug 49933 blocks 2.6.2-r2, going back to "wait for ebuild" status. -K
Just for reference: http://www.debian.org/security/2004/dsa-499 regards, Tobias
Created attachment 35051 [details, diff] 2.6.0-sanitize.patch
as far as i can tell from pouring through the mail/cvs archives, and checking out the debian/redhat patches, the attached patch should be all we need ... seems like the info was obfuscated, but it seems like the commit happened on Mar 27 2004: http://lists.samba.org/archive/rsync-cvs/2004-March.txt.gz those cvs patches were touched up to apply semi-cleanly to 2.6.0 ive sat on this long enough; can someone please double check the patch for me before i go committing 2.6.0-r2 and since 2.6.{1,2} seem pretty hosed ?
as CondorDes pointed out on irc, the hunk for clientserver.c was reversed ... it actually duplicated a block of code that was supposed to be removed ;) while it doesnt introduce the vuln, it isnt correct :) ive fixed the patch and added 2.6.0-r2 to portage ... i guess we just need GLSA now ?
First we need it stable :) Arches : please mark net-misc/rsync-2.6.0-r2 stable. I'll take care of the draft, I submitted one in the old days already.
Done on ppc.
hppa stable
Stable on sparc.
Stable on x86.
Removing ppc from Cc, as it has been forgotten.
Stable on mips
amd64 : please mark rsync-2.6.0-r2 stable so that the GLSA can go out.
sorry for the delay. stable on amd64
glsa 200407-10
stable on ppc64