Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 88681 - net-misc/rsnapshot: privilege escalation
Summary: net-misc/rsnapshot: privilege escalation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2005-04-11 00:35 UTC by Thierry Carrez (RETIRED)
Modified: 2007-05-31 10:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-04-11 00:35:58 UTC
rsnapshot Security Advisory 001             
Apr 10th, 2005                                             Nathan Rosenquist

  Severity:      high
  Vulnerability: local privilege escalation
  Fix provided:  yes

1) Background

rsnapshot is a filesystem snapshot utility for making backups of local and
remote systems.

Using rsync and hard links, it is possible to keep multiple, full backups
instantly available. The disk space required is just a little more than the
space of one full backup, plus incrementals.

2) Problem description

The copy_symlink() subroutine in rsnapshot incorrectly changes file
ownership on the files pointed to by symlinks, not on the symlinks
themselves. This would allow, under certain circumstances, an arbitrary
user to take ownership of a file on the main filesystem.

This subroutine is called under the following circumstances:

  a) If the cmd_cp parameter has NOT been enabled, OR

  b) If the backup_script parameter is set, and the backup script
     generates symlinks as part of its output

  c) AND if the attacker can create symlinks in a directory that is backed
     up, either by creating them directly or influencing a backup script.

This vulnerability has been fixed in rsnapshot versions 1.1.7 and 1.2.1.
It is recommended that all users upgrade immediately.

3) Upgrade Instructions

For users of rsnapshot 1.2.0, download and install version 1.2.1.
For users of rsnapshot 1.1.6 or earlier, download and install version

  rsnapshot 1.2.1

  rsnapshot 1.1.7

4) Workarounds

Enable the cmd_cp parameter (requires GNU cp, and works best on Linux).

Make sure any scripts specified by the backup_script parameter do not
create symlinks.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-04-11 00:56:50 UTC
kloeri: please bump...

If you think 1.2.1 is a stable candidate, I guess only this one is needed... But if you don't think it's a stable candidate, you'll probably have to add the two fixed versions.
Comment 2 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-11 14:08:48 UTC
I've added 1.2.1 to the tree and stabled it.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-04-11 14:21:52 UTC
Thanks Bryan, please remove insecure versions from the tree if it is safe to do so.

This is ready for GLSA.
Comment 4 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-11 23:17:22 UTC
Removed all vulnerable versions.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-04-13 11:28:45 UTC
GLSA 200504-12
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-13 14:00:53 UTC
Version 1.1.7 added as a fixed version to the GLSA. No update needed.