Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728852 - <net-misc/rsync-3.2.0: Multiple vulnerabilities (CVE-2016-{9840,9841,9842,9843})
Summary: <net-misc/rsync-3.2.0: Multiple vulnerabilities (CVE-2016-{9840,9841,9842,9843})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://rsync.samba.org/ftp/rsync/rsy...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: 728868 728898 729582
Blocks: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
  Show dependency tree
 
Reported: 2020-06-19 23:20 UTC by Sam James
Modified: 2020-07-28 19:34 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/rsync-3.2.0-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 23:20:22 UTC
From 3.2.0 release notes:
"Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840."

Also:
"Avoid a potential out-of-bounds read in daemon mode if argc can be made to become 0."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 23:21:21 UTC
[Note that USE=system-zlib is not vulnerable to this, because of the fixes in bug 601828].
Comment 2 Larry the Git Cow gentoo-dev 2020-06-20 01:28:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f8b0a10cde068cb69c2714a61b5f8d00e96ea99

commit 9f8b0a10cde068cb69c2714a61b5f8d00e96ea99
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-20 01:20:59 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-20 01:28:09 +0000

    net-misc/rsync: Bump to version 3.2.0. Removed old
    
    Bug: https://bugs.gentoo.org/728852
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/rsync/Manifest                            |  2 +-
 net-misc/rsync/files/rsync-3.2.0-simd_check.patch  | 24 ++++++++++++++++++++++
 .../rsync/files/rsync-3.2.0_pre3-simd_check.patch  | 24 ----------------------
 ...{rsync-3.2.0_pre3.ebuild => rsync-3.2.0.ebuild} |  4 ++--
 4 files changed, 27 insertions(+), 27 deletions(-)
Comment 3 NATTkA bot gentoo-dev 2020-06-21 09:32:29 UTC
Unable to check for sanity:

> no match for package: net-misc/rsync-3.2.0
Comment 4 Thomas Deutschmann gentoo-dev 2020-06-21 20:32:08 UTC
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-21 22:08:13 UTC
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-22 07:00:30 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-22 07:01:07 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-22 07:01:48 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-22 07:02:12 UTC
s390 stable
Comment 10 Rolf Eike Beer archtester 2020-06-22 18:36:00 UTC
hppa/sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-06-25 07:00:29 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Larry the Git Cow gentoo-dev 2020-06-25 08:34:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eb79a6c9300e9385ffb6eac6fff0ef041bef693

commit 5eb79a6c9300e9385ffb6eac6fff0ef041bef693
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-25 08:22:20 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-25 08:34:41 +0000

    net-misc/rsync: Security cleanup
    
    Bug: https://bugs.gentoo.org/728852
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/rsync/Manifest           |  1 -
 net-misc/rsync/rsync-3.1.3.ebuild | 91 ---------------------------------------
 2 files changed, 92 deletions(-)
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-06-25 09:23:51 UTC
commit 98406e6c893975bb61cddd26dfbb083bc03c6cb4
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Jun 25 11:19:46 2020

    Revert "net-misc/rsync: Security cleanup"

    This reverts commit 5eb79a6c9300e9385ffb6eac6fff0ef041bef693.
    because >=rsync-3.2.0 has no riscv keyword yet

    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 16:30:35 UTC
Cleanup done.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:34:52 UTC
This issue was resolved and addressed in
 GLSA 202007-54 at https://security.gentoo.org/glsa/202007-54
by GLSA coordinator Sam James (sam_c).