CLD-232 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
rsync |
Deficiency Type |
SECURITY |
Date Created |
2018-01-17 18:19:16 |
Date Last Modified |
2018-01-18 16:00:56 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in rsync-3.1.2-i686-8 |
Cucumber 1.0 x86_64 | fixed in rsync-3.1.2-x86_64-8 |
Cucumber 1.1 i686 |
fixed in rsync-3.1.2-i686-8 |
Cucumber 1.1 x86_64 |
fixed in rsync-3.1.2-x86_64-8 |
Details:
=================================== Overview ===================================
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does
not prevent multiple --protect-args uses, which allows remote attackers to
bypass an argument-sanitization protection mechanism.
================================ Initial Report ================================
From https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS:
NEWS for rsync 3.1.3 (UNRELEASED)
Protocol: 31 (unchanged)
Changes since 3.1.2:
SECURITY FIXES:
- Fixed a buffer overrun in the protocol's handling of xattr names and
ensure that the received name is null terminated.
- Fix an issue with --protect-args where the user could specify the arg in
the protected-arg list and short-circuit some of the arg-sanitizing code.
================================= Our Analysis =================================
----- Affected Products -----
Versions of rsyncd prior to 3.1.3pre1 which have not had the patch from
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=7706303828fcde524222babb2833864a4bd09e07
applied are vulnerable to this. This includes rsync as originally packaged with
Cucumber Linux 1.0 and 1.1.
----- Scope and Impact of this Vulnerability -----
This vulnerability allows a remote attacker to bypass intended argument
sanitization. The exact extent of what this allows for is not publicly known as
of Thu Jan 18 13:15:27 EST 2018.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=7706303828fcde524222babb2833864a4bd09e07.
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.