Bugtraq mailing list archives
[ GLSA 200804-16 ] rsync: Execution of arbitrary code
From: Robert Buchholz <rbu () gentoo org>
Date: Thu, 17 Apr 2008 14:05:38 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: rsync: Execution of arbitrary code Date: April 17, 2008 Bugs: #216887 ID: 200804-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow in rsync might lead to the remote execution of arbitrary code when extended attributes are being used. Background ========== rsync is a file transfer program to keep remote directories synchronized. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/rsync < 2.6.9-r6 >= 2.6.9-r6 Description =========== Sebastian Krahmer of SUSE reported an integer overflow in the expand_item_list() function in the file util.c which might lead to a heap-based buffer overflow when extended attribute (xattr) support is enabled. Impact ====== A remote attacker could send a file containing specially crafted extended attributes to an rsync deamon, or entice a user to sync from an rsync server containing specially crafted files, possibly leading to the execution of arbitrary code. Please note that extended attributes are only enabled when USE="acl" is enabled, which is the default setting. Workaround ========== Disable extended attributes in the rsync daemon by setting "refuse options = xattrs" in the file "/etc/rsyncd.conf" (or append "xattrs" to an existing "refuse" statement). When synchronizing to a server, do not provide the "-X" parameter to rsync. You can also disable the "acl" USE flag for rsync and recompile the package. Resolution ========== All rsync users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.9-r6" References ========== [ 1 ] CVE-2008-1720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1720 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-16.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- [ GLSA 200804-16 ] rsync: Execution of arbitrary code Robert Buchholz (Apr 17)