CLD-232 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-5764 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) rsync
Deficiency Type SECURITY
Date Created 2018-01-17 18:19:16
Date Last Modified 2018-01-18 16:00:56

Version Specific Information:

Cucumber 1.0 i686fixed in rsync-3.1.2-i686-8
Cucumber 1.0 x86_64fixed in rsync-3.1.2-x86_64-8

Cucumber 1.1 i686 fixed in rsync-3.1.2-i686-8
Cucumber 1.1 x86_64 fixed in rsync-3.1.2-x86_64-8

Details:

=================================== Overview ===================================

The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does
not prevent multiple --protect-args uses, which allows remote attackers to
bypass an argument-sanitization protection mechanism. 

================================ Initial Report ================================

From https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS:

NEWS for rsync 3.1.3 (UNRELEASED)
Protocol: 31 (unchanged)
Changes since 3.1.2:

  SECURITY FIXES:
    - Fixed a buffer overrun in the protocol's handling of xattr names and
      ensure that the received name is null terminated.
    - Fix an issue with --protect-args where the user could specify the arg in
      the protected-arg list and short-circuit some of the arg-sanitizing code.

================================= Our Analysis =================================

----- Affected Products -----
Versions of rsyncd prior to 3.1.3pre1 which have not had the patch from
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=7706303828fcde524222babb2833864a4bd09e07
applied are vulnerable to this. This includes rsync as originally packaged with
Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows a remote attacker to bypass intended argument
sanitization. The exact extent of what this allows for is not publicly known as
of Thu Jan 18 13:15:27 EST 2018.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.