rsync-2.5.2 has security fix (was: Re: [RHSA-2002:018-05] New rsync packages available)

[Jim Knoble <jmknoble () pobox com>]

Circa 2002-Jan-25 16:33:00 -0500 dixit bugzilla () redhat com:

: ---------------------------------------------------------------------
:                    Red Hat, Inc. Red Hat Security Advisory
:
: Synopsis:          New rsync packages available
: Advisory ID:       RHSA-2002:018-05
: Issue date:        2002-01-23
: Updated on:        2002-01-25
: Product:           Red Hat Linux
: Keywords:          rsync signed unsigned daemon
: Cross references:
: Obsoletes:
: ---------------------------------------------------------------------
:
: 1. Topic:
:
: New rsync packages are available; these fix a remotely exploitable problem
: in the I/O functions.

  [...]

: rsync is a powerful tool used for mirroring directory structures across
: machines.  rsync has been found to contain several signed/unsigned bugs in
: its I/O functions which are remotely exploitable.   A remote user can crash
: the rsync server/client and execute code as the user running the rsync
: server or client.
:
: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
: assigned the name CAN-2002-0048 to this issue.

I can't seem to find any information about this issue at cve.mitre.org;
it simply says:

  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem.
  When the candidate has been publicized, the details for this
  candidate will be provided.

I've seen at least three announcements about rsync from different Linux
distribution vendors, but no information at all about what versions are
actually vulnerable, or when the vulnerability was discovered (or fixed).

For folks who have actually moved beyond vendor-supplied
point-and-drool packages of rsync, there's a need for actual real
information about what versions of rsync are vulnerable and what the
fix is.

Hence, this news from http://rsync.samba.org/:

    rsync 2.5.2

             The latest version of rsync is version 2.5.2.

             This version includes the following changes:

             rsync 2.5.2 (26 Jan 2002)

               SECURITY FIXES:

                 * Signedness security patch from Sebastian Krahmer
                    -- in some cases we were not sufficiently
                   careful about reading integers from the network.

Further information is at http://rsync.samba.org/.

I find it tiring that vendors neglect to disclose this sort of
information in their public announcements.  A simple statement such as
"Plain-vanilla versions of rsync less than 2.5.2 are vulnerable.
However, we've backported the fix to our sparkling new package of
rsync-2.4.6.  Customers who use our Strawberry Linux Forever
distribution should upgrade to our packages, listed below: ...."

That sort of information helps everyone.

--
jim knoble | jmknoble () pobox com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)

Attachment: _bin
Description: