[ GLSA 200804-16 ] rsync: Execution of arbitrary code



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200804-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: rsync: Execution of arbitrary code
Date: April 17, 2008
Bugs: #216887
ID: 200804-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in rsync might lead to the remote execution of
arbitrary code when extended attributes are being used.

Background
==========

rsync is a file transfer program to keep remote directories
synchronized.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/rsync < 2.6.9-r6 >= 2.6.9-r6

Description
===========

Sebastian Krahmer of SUSE reported an integer overflow in the
expand_item_list() function in the file util.c which might lead to a
heap-based buffer overflow when extended attribute (xattr) support is
enabled.

Impact
======

A remote attacker could send a file containing specially crafted
extended attributes to an rsync deamon, or entice a user to sync from
an rsync server containing specially crafted files, possibly leading to
the execution of arbitrary code.

Please note that extended attributes are only enabled when USE="acl" is
enabled, which is the default setting.

Workaround
==========

Disable extended attributes in the rsync daemon by setting "refuse
options = xattrs" in the file "/etc/rsyncd.conf" (or append "xattrs" to
an existing "refuse" statement). When synchronizing to a server, do not
provide the "-X" parameter to rsync. You can also disable the "acl" USE
flag for rsync and recompile the package.

Resolution
==========

All rsync users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.9-r6"

References
==========

[ 1 ] CVE-2008-1720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1720

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200804-16.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@xxxxxxxxxx or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Attachment: signature.asc
Description: This is a digitally signed message part.



Relevant Pages

  • [Full-disclosure] [ GLSA 200804-16 ] rsync: Execution of arbitrary code
    ... Title: rsync: Execution of arbitrary code ... arbitrary code when extended attributes are being used. ... rsync is a file transfer program to keep remote directories ... heap-based buffer overflow when extended attribute support is ...
    (Full-Disclosure)
  • Re: remote copy file
    ... system on our server since it contains data. ... It would be nice if it would work with rsync. ... As I understand it, you need the embedded device to initiate the ransfer, not the remote PC, and you need authentication but without needing to specify a password. ...
    (alt.os.linux.suse)
  • Re: rsync -
    ... The name "rsync" seems to imply that it will make them identical. ... some changes on both machines, but to different files, then rsync is ... "Local to Remote, Delete Remote" \ ... echo "Running rsync for real..."; ...
    (Fedora)
  • Re: [opensuse] backups via rsync leaving old junk in the backup?
    ... I just noticed that the main directory is 247GB, but the remote copy is 354GB. ... I assume rsync can cause the extra files on the remote to be deleted? ... For backup purpuses, --numeric-ids is also useful, because it makes sure ... so it is redundant in your command line. ...
    (SuSE)
  • Re: rsync help requested
    ... that is the default nowadays for rsync. ... rsync on the remote machine telling it where to store the file and other ... It used to be that it used rsh to open the connection, ...
    (uk.comp.os.linux)