Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync

[Bastian Blank <waldi () debian org>]

Hi Seth

On Fri, Oct 20, 2017 at 03:37:58PM -0700, Seth Arnold wrote:
> I'm not sure what 'script' vs 'not-script' has to do with anything.
> 'Script' really just means "interpreted programming language" and says
> nothing about the threat model in use.

Almost none of the so called script languages are interpreted.  They
include a compiler, usually compile the input to some form of byte-code
and executed it within a VM.  But that's just definition.

> Probably other programs use rsync without --safe-links when they should.
> I didn't know the option existed until this thread was started (seriously,
> rsync(1) is a HUGE manpage) so I'm grateful to the original reporter
> for sending it along.

Raising awareness was one reason why I asked for a CVE id instead of
just fixing it.  rsync, even if the protocol is really bad, is widly
used to mirror all sorts of software.  It is also a generic tool, so the
defaults are there to replicate the input as much as possible, not to be
safe from problematic things.

Regards,
Bastian

-- 
Humans do claim a great deal for that particular emotion (love).
                -- Spock, "The Lights of Zetar", stardate 5725.6