Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636714 (CVE-2017-16548) - <net-misc/rsync-3.1.2-r1: Heap-based buffer over-read in receive_xattr function (CVE-2017-16548)
Summary: <net-misc/rsync-3.1.2-r1: Heap-based buffer over-read in receive_xattr functi...
Alias: CVE-2017-16548
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on: CVE-2017-17433, CVE-2017-17434
  Show dependency tree
Reported: 2017-11-06 17:53 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-17 03:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-06 17:53:34 UTC
CVE-2017-16548 (
  The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
  does not check for a trailing '\0' character in an xattr name, which allows
  remote attackers to cause a denial of service (heap-based buffer over-read
  and application crash) or possibly have unspecified other impact by sending
  crafted data to the daemon.
Comment 1 Larry the Git Cow gentoo-dev 2017-11-14 22:40:29 UTC
The bug has been referenced in the following commit(s):

commit 61f33ecb79092b9b86d8a95da0950215e6194122
Author:     Thomas Deutschmann <>
AuthorDate: 2017-11-14 22:40:01 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2017-11-14 22:40:01 +0000

    net-misc/rsync: Rev bump to fix CVE-2017-16548
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 .../rsync/files/rsync-3.1.2-CVE-2017-16548.patch   | 17 +++++
 net-misc/rsync/rsync-3.1.2-r1.ebuild               | 89 ++++++++++++++++++++++
 2 files changed, 106 insertions(+)}
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-14 22:42:48 UTC
@ Arches,

please test and mark stable: =net-misc/rsync-3.1.2-r1
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2017-11-15 13:55:02 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-15 23:24:51 UTC
ppc/ppc64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-16 01:38:05 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-16 07:35:49 UTC
ia64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-17 11:23:11 UTC
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-18 09:32:19 UTC
hppa is already stable by

commit 82185532b04f834a3ec3433d259323feaad694ac
Author: Jeroen Roovers <>
Date:   Thu Nov 16 08:58:42 2017 +0100

    net-misc/rsync: Stable for HPPA too.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-18 09:41:54 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 10 Markus Meier gentoo-dev 2017-11-19 19:46:58 UTC
arm stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-10 19:12:20 UTC
Superseded by bug 640570.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-16 12:20:31 UTC
Added to an existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 03:39:32 UTC
This issue was resolved and addressed in
 GLSA 201801-16 at
by GLSA coordinator Mikle Kolyada (Zlogene).