Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 640570 (CVE-2017-17433, CVE-2017-17434) - <net-misc/rsync-3.1.2-r2: Multiple vulnerabilities (CVE-2017-{17433,17434})
Summary: <net-misc/rsync-3.1.2-r2: Multiple vulnerabilities (CVE-2017-{17433,17434})
Status: RESOLVED FIXED
Alias: CVE-2017-17433, CVE-2017-17434
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2017-16548
  Show dependency tree
 
Reported: 2017-12-10 16:58 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-17 03:39 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/rsync-3.1.2-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-10 16:58:00 UTC
CVE-2017-17434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17434):
  The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not
  check for fnamecmp filenames in the daemon_filter_list data structure (in
  the recv_files function in receiver.c) and also does not apply the
  sanitize_paths protection mechanism to pathnames found in "xname follows"
  strings (in the read_ndx_and_attrs function in rsync.c), which allows remote
  attackers to bypass intended access restrictions.

CVE-2017-17433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17433):
  The recv_files function in receiver.c in the daemon in rsync 3.1.2, and
  3.1.3-development before 2017-12-03, proceeds with certain file metadata
  updates before checking for a filename in the daemon_filter_list data
  structure, which allows remote attackers to bypass intended access
  restrictions.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 16:58:59 UTC
@Maintainers please confirm if we are affected. Call for stabilization when ready, please.

Thank you
Comment 2 Larry the Git Cow gentoo-dev 2017-12-10 19:07:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1dd842d0104a10bfe6778597676aaa139f8d360

commit c1dd842d0104a10bfe6778597676aaa139f8d360
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-12-10 19:05:40 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-12-10 19:06:59 +0000

    net-misc/rsync: Rev bump to add patch for CVE-2017-{17433,17434}
    
    Bug: https://bugs.gentoo.org/640570
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 .../files/rsync-3.1.2-CVE-2017-17433-fixup.patch   | 33 ++++++++
 .../rsync/files/rsync-3.1.2-CVE-2017-17433.patch   | 39 +++++++++
 .../files/rsync-3.1.2-CVE-2017-17434-part1.patch   | 22 +++++
 .../files/rsync-3.1.2-CVE-2017-17434-part2.patch   | 33 ++++++++
 net-misc/rsync/rsync-3.1.2-r2.ebuild               | 95 ++++++++++++++++++++++
 5 files changed, 222 insertions(+)}
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-12-10 19:11:04 UTC
@ Arches,

please test and mark stable: =net-misc/rsync-3.1.2-r2
Comment 4 Manuel Rüger gentoo-dev 2017-12-10 23:27:48 UTC
amd64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-12-12 16:35:52 UTC
x86 stable
Comment 6 Sergei Trofimovich gentoo-dev 2017-12-12 23:01:51 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 7 Sergei Trofimovich gentoo-dev 2017-12-13 00:12:57 UTC
ia64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-12-14 20:12:58 UTC
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2017-12-21 19:26:52 UTC
arm stable
Comment 10 Sergei Trofimovich gentoo-dev 2017-12-31 23:36:22 UTC
hppa stable (thanks to Rolf Eike Beer)
Comment 11 Sergei Trofimovich gentoo-dev 2018-01-13 14:11:23 UTC
commit a2d952b62defc160371ebf25bca7b4c1aad108aa
Author: Mike Frysinger <vapier@gentoo.org>
Date:   Sat Jan 13 01:47:17 2018 -0500

    dev-util/ninja: mark 1.8.2 arm64/m68k/s390/sh stable
Comment 12 Tobias Klausmann gentoo-dev 2018-01-16 12:14:57 UTC
Stable on alpha.
Comment 13 Larry the Git Cow gentoo-dev 2018-01-16 12:18:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4645d03255e620758f0bcad551c282061a7de26

commit f4645d03255e620758f0bcad551c282061a7de26
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-16 12:17:56 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-16 12:17:56 +0000

    net-misc/rsync: Security cleanup
    
    Bug: https://bugs.gentoo.org/640570
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-misc/rsync/rsync-3.1.2-r1.ebuild | 89 ------------------------------------
 1 file changed, 89 deletions(-)}
Comment 14 Thomas Deutschmann gentoo-dev Security 2018-01-16 12:20:15 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 03:39:40 UTC
This issue was resolved and addressed in
 GLSA 201801-16 at https://security.gentoo.org/glsa/201801-16
by GLSA coordinator Mikle Kolyada (Zlogene).