[OpenPKG-SA-2004.037] OpenPKG Security Advisory (rsync)

[OpenPKG <openpkg () openpkg org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org
OpenPKG-SA-2004.037                                          15-Aug-2004
________________________________________________________________________

Package:             rsync
Vulnerability:       filesystem path determination
OpenPKG Specific:    no

Affected Releases:   Affected Packages:       Corrected Packages:
OpenPKG CURRENT      <= rsync-2.6.2-20040706  >= rsync-2.6.2-20040815
OpenPKG 2.1          <= rsync-2.6.2-2.1.0     >= rsync-2.6.2-2.1.1
OpenPKG 2.0          <= rsync-2.6.0-2.0.1     >= rsync-2.6.0-2.0.2

Dependent Packages:  none

Description:
  According to a security notice [1] by the vendor, a path-sanitizing
  bug exists in the filesystem synchronization utility RSYNC [2]. The
  bug affects daemon mode in all RSYNC versions up to and including
  2.6.2 if option "use chroot" is disabled (not the case in the default
  configuration in OpenPKG). It does not affect the normal send/receive
  filenames that specify what files should be transferred, but it does
  affect certain option paths that cause auxilliary files to be read or
  written.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q rsync". If you have the "rsync" package installed and its
  version is affected (see above), we recommend that you immediately
  upgrade it (see Solution) and its dependent packages (see above), if
  any, too [3][4].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the most recent release OpenPKG 2.1, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.1/UPD
  ftp> get rsync-2.6.2-2.1.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig rsync-2.6.2-2.1.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild rsync-2.6.2-2.1.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/rsync-2.6.2-2.1.1.*.rpm
________________________________________________________________________

References:
  [1] http://samba.org/rsync/#security_aug04
  [2] http://samba.org/rsync/
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/2.1/UPD/rsync-2.6.2-2.1.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.0/UPD/rsync-2.6.0-2.0.2.src.rpm
  [7] ftp://ftp.openpkg.org/release/2.1/UPD/
  [8] ftp://ftp.openpkg.org/release/2.0/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iD8DBQFBHzgxgHWT4GPEy58RAlwUAKDtW9fyxZqfN+uCB/egu5RTSCn3DwCfUuNE
8fth6K4zemMCmK1EPvWgAOw=
=Z7z1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html