CLD-170 Details

Other IDs this deficiency may be known by:

Basic Information:

Version Specific Information:

Details:

=================================== Overview ===================================

From https://nvd.nist.gov/vuln/detail/CVE-2017-17434:

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-11-03, does not
check for fnamecmp filenames in the daemon_filter_list data structure (in the
recv_files function in receiver.c) and also does not apply the sanitize_paths
protection mechanism to pathnames found in "xname follows" strings (in the
read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass
intended access restrictions.

================================= Our Analysis =================================

----- Affected Products -----

Rsync version 3.1.2 that has not had the following two patches applied is
vulnerable to this vulnerability:
https://git.samba.org/?p=rsync.git;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1
https://git.samba.org/?p=rsync.git;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9

This includes rsync as origianlly packaged in Cucumber Linux 1.0 and 1.1. At
this time, we are unsure whether other versions of Rsync are affected.

----- Scope and Impact of this Vulnerability -----

Allows for remote attackers to bypass access restrictions. 

----- Fix for this Vulnerability -----

This vulnerablility can be fixed by applying the following two patches:
https://git.samba.org/?p=rsync.git;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1
https://git.samba.org/?p=rsync.git;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9

================================= Our Solution =================================

We have applied a consolidated version of the two aforementioned patches. The
consolidated patch can be found at
http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/net-general/rsync/patches/0003_CVE-2017-17434_consolidated.patch