CVE-2017-16548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16548): The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61f33ecb79092b9b86d8a95da0950215e6194122 commit 61f33ecb79092b9b86d8a95da0950215e6194122 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-11-14 22:40:01 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-11-14 22:40:01 +0000 net-misc/rsync: Rev bump to fix CVE-2017-16548 Bug: https://bugs.gentoo.org/636714 Package-Manager: Portage-2.3.13, Repoman-2.3.4 .../rsync/files/rsync-3.1.2-CVE-2017-16548.patch | 17 +++++ net-misc/rsync/rsync-3.1.2-r1.ebuild | 89 ++++++++++++++++++++++ 2 files changed, 106 insertions(+)}
@ Arches, please test and mark stable: =net-misc/rsync-3.1.2-r1
amd64 stable
ppc/ppc64 stable
x86 stable
ia64 stable
Stable on alpha.
hppa is already stable by commit 82185532b04f834a3ec3433d259323feaad694ac Author: Jeroen Roovers <jer@gentoo.org> Date: Thu Nov 16 08:58:42 2017 +0100 net-misc/rsync: Stable for HPPA too.
sparc stable (thanks to Rolf Eike Beer)
arm stable
Superseded by bug 640570.
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 201801-16 at https://security.gentoo.org/glsa/201801-16 by GLSA coordinator Mikle Kolyada (Zlogene).