Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync

[Seth Arnold <seth.arnold () canonical com>]

On Wed, Oct 18, 2017 at 04:55:07PM -0400, Robert Watson wrote:
> Removing the ability for rsync to copy symlinks pointing to targets outside
> the mirror tree would greatly cripple it. I need to understand how the
> danger is worth the loss of this functionality.

Note that the fix isn't modifying rsync, the fix is modifying the ftpsync
script that calls rsync:

+    RSYNC_OPTIONS=${RSYNC_OPTIONS:-"-prltvHSB8192 --safe-links --timeout 3600 --stats --no-human-readable"}

https://anonscm.debian.org/cgit/mirror/archvsync.git/commit/?id=d1ca2ab2210990b6dfb664cd6776a41b71c48016

Of course for people who run this mirroring tool as a specific user
account and set file permissions appropriately this is more or less a
no-op. But this is a useful hardening for people who run the ftpsync
command as a user with too many privileges. (I wouldn't have bothered
filing for a CVE for this change; I see it as a simple hardening change.)

This option shouldn't cripple ftpsync as a well-run repository is highly
unlikely to have symlinks pointing out of the tree. A repository with
symlinks pointing out of the tree is already not a suitable rsync source.

Thanks

Attachment: signature.asc
Description: