CVE-2017-17434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17434): The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions. CVE-2017-17433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17433): The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
@Maintainers please confirm if we are affected. Call for stabilization when ready, please. Thank you
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1dd842d0104a10bfe6778597676aaa139f8d360 commit c1dd842d0104a10bfe6778597676aaa139f8d360 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-12-10 19:05:40 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-12-10 19:06:59 +0000 net-misc/rsync: Rev bump to add patch for CVE-2017-{17433,17434} Bug: https://bugs.gentoo.org/640570 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../files/rsync-3.1.2-CVE-2017-17433-fixup.patch | 33 ++++++++ .../rsync/files/rsync-3.1.2-CVE-2017-17433.patch | 39 +++++++++ .../files/rsync-3.1.2-CVE-2017-17434-part1.patch | 22 +++++ .../files/rsync-3.1.2-CVE-2017-17434-part2.patch | 33 ++++++++ net-misc/rsync/rsync-3.1.2-r2.ebuild | 95 ++++++++++++++++++++++ 5 files changed, 222 insertions(+)}
@ Arches, please test and mark stable: =net-misc/rsync-3.1.2-r2
amd64 stable
x86 stable
sparc stable (thanks to Rolf Eike Beer)
ia64 stable
ppc/ppc64 stable
arm stable
hppa stable (thanks to Rolf Eike Beer)
commit a2d952b62defc160371ebf25bca7b4c1aad108aa Author: Mike Frysinger <vapier@gentoo.org> Date: Sat Jan 13 01:47:17 2018 -0500 dev-util/ninja: mark 1.8.2 arm64/m68k/s390/sh stable
Stable on alpha.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4645d03255e620758f0bcad551c282061a7de26 commit f4645d03255e620758f0bcad551c282061a7de26 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-16 12:17:56 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-16 12:17:56 +0000 net-misc/rsync: Security cleanup Bug: https://bugs.gentoo.org/640570 Package-Manager: Portage-2.3.19, Repoman-2.3.6 net-misc/rsync/rsync-3.1.2-r1.ebuild | 89 ------------------------------------ 1 file changed, 89 deletions(-)}
New GLSA request filed.
This issue was resolved and addressed in GLSA 201801-16 at https://security.gentoo.org/glsa/201801-16 by GLSA coordinator Mikle Kolyada (Zlogene).
