CLD-170 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17434 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) rsync
Deficiency Type SECURITY
Date Created 2017-12-06 11:10:43
Date Last Modified 2017-12-06 16:24:27

Version Specific Information:

Cucumber 1.0 i686fixed in rsync-3.1.2-i686-6
Cucumber 1.0 x86_64fixed in rsync-3.1.2-x86_64-6

Cucumber 1.1 i686 fixed in rsync-3.1.2-i686-6
Cucumber 1.1 x86_64 fixed in rsync-3.1.2-x86_64-6


=================================== Overview ===================================


The daemon in rsync 3.1.2, and 3.1.3-development before 2017-11-03, does not
check for fnamecmp filenames in the daemon_filter_list data structure (in the
recv_files function in receiver.c) and also does not apply the sanitize_paths
protection mechanism to pathnames found in "xname follows" strings (in the
read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass
intended access restrictions.

================================= Our Analysis =================================

----- Affected Products -----

Rsync version 3.1.2 that has not had the following two patches applied is
vulnerable to this vulnerability:;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9

This includes rsync as origianlly packaged in Cucumber Linux 1.0 and 1.1. At
this time, we are unsure whether other versions of Rsync are affected.

----- Scope and Impact of this Vulnerability -----

Allows for remote attackers to bypass access restrictions. 

----- Fix for this Vulnerability -----

This vulnerablility can be fixed by applying the following two patches:;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9

================================= Our Solution =================================

We have applied a consolidated version of the two aforementioned patches. The
consolidated patch can be found at