rsync: directory traversal in daemon mode

Automatically imported from Debian bug report #265662 http://bugs.debian.org/265662

Message-Id: <email address hidden>
Date: Sat, 14 Aug 2004 12:48:13 +0200
From: Florian Weimer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: rsync: directory traversal in daemon mode

Package: rsync
Version: 2.6.2-2
Severity: grave
Tags: security upstream fixed-upstream patch
Justification: user security hole

The rsync team has announced a new security bug which affects daemon
mode:

  <http://samba.org/rsync/#security_aug04>

The patch is reproduced below (module whitespace)

--- orig/util.c 2004-04-27 12:59:37 -0700
+++ util.c 2004-08-11 23:37:27 -0700
@@ -743,7 +743,7 @@
     allowdotdot = 1;
    } else {
     p += 2;
- if (*p == '/')
+ while (*p == '/')
      p++;
     if (sanp != start) {
      /* back up sanp one level */

Message-Id: <email address hidden>
Date: Sat, 14 Aug 2004 08:32:02 -0400
From: Paul Slootman <email address hidden>
To: <email address hidden>
Subject: Bug#265662: fixed in rsync 2.6.2-3

Source: rsync
Source-Version: 2.6.2-3

We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive:

rsync_2.6.2-3.diff.gz
  to pool/main/r/rsync/rsync_2.6.2-3.diff.gz
rsync_2.6.2-3.dsc
  to pool/main/r/rsync/rsync_2.6.2-3.dsc
rsync_2.6.2-3_i386.deb
  to pool/main/r/rsync/rsync_2.6.2-3_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Slootman <email address hidden> (supplier of updated rsync package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 14 Aug 2004 14:11:22 +0200
Source: rsync
Binary: rsync
Architecture: source i386
Version: 2.6.2-3
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <email address hidden>
Changed-By: Paul Slootman <email address hidden>
Description:
 rsync - fast remote file copy program (like rcp)
Closes: 265662
Changes:
 rsync (2.6.2-3) unstable; urgency=high
 .
   * security: directory traversal in daemon mode fix
     closes:#265662
Files:
 a7eb3ef40676966f63e8199197be857e 543 net optional rsync_2.6.2-3.dsc
 76bfa128544419f87f121c2c3ccb035b 44797 net optional rsync_2.6.2-3.diff.gz
 30620f52cb52f32f4c2d75f55f045b4a 161690 net optional rsync_2.6.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBHgI3utvvqbTW3hMRAomLAJsFSW0bLseN+u1X6hUlCw+/bT7tqwCfTB8n
tmeZGOxTPqp29R3+zWxbvxg=
=APck
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Sat, 14 Aug 2004 14:55:21 +0200
From: Florian Weimer <email address hidden>
To: <email address hidden>
Subject: Re: Bug#265662 acknowledged by developer (Bug#265662: fixed in
 rsync 2.6.2-3)

* Debian Bug Tracking System:

> rsync (2.6.2-3) unstable; urgency=high
> .
> * security: directory traversal in daemon mode fix
> closes:#265662

What about woody?

Message-ID: <email address hidden>
Date: Sat, 14 Aug 2004 19:53:40 +0200
From: Paul Slootman <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#265662: acknowledged by developer (Bug#265662: fixed in rsync 2.6.2-3)

On Sat 14 Aug 2004, Florian Weimer wrote:
>
> > rsync (2.6.2-3) unstable; urgency=high
> > .
> > * security: directory traversal in daemon mode fix
> > closes:#265662
>
> What about woody?

Being worked on by the security team.
You could have notified <email address hidden>
yourself directly, I now did it after seeing your bug report.

Paul Slootman

Message-ID: <email address hidden>
Date: Thu, 19 Aug 2004 12:00:15 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: [WSO Core #5325] [SECURITY] [DSA 538-1] New rsync packages fix unauthorised directory
 traversal and file access

reopen 265662
tags 265662 + sarge
thanks

On Thu, Aug 19, 2004 at 10:23:56 +0200, Jan Wagner wrote:
> Does anybody know, if rsync 2.6.2-3 will reach sarge before it is
> released?

The current status: http://bjorn.haxx.se/debian/testing.pl?package=rsync :
 trying to update rsync from 2.6.2-2 to 2.6.2-3 (candidate is 4 days old)
 rsync is not yet built on arm: 2.6.2-2 vs 2.6.2-3
and rsync is in the "needs build" queue for ARM indeed (see
http://www.buildd.net/buildd/arm_needs-build.txt). ARM is currently the port
that has the most problems keeping up (see
http://buildd.debian.org/stats/graph2-week-big.png), so it may take some
time yet before a fixed rsync is available for ARM, after which the fixed
package can percolate into sarge.

> If not, the Security hole will be open until the Security Team will be
> release a fixed package.

Adjusting the relevant report's status accordingly,
Ray
--
"When you are finished spreading joy on Christmas Eve, come and kick back
with me and Erwin for a while. [...] We'll provide the cocoa and cookies,
and we'll even teach you how to play Quake."
 From the Dust Puppy's letter to Santa Claus.

Message-ID: <email address hidden>
Date: Mon, 23 Aug 2004 22:28:15 +0200
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: Re: Bug#265662: rsync: directory traversal in daemon mode

On Sat, Aug 14, 2004 at 12:48:13PM +0200, Florian Weimer wrote:
> Package: rsync
> Version: 2.6.2-2
> Severity: grave
> Tags: security upstream fixed-upstream patch
> Justification: user security hole
>
> The rsync team has announced a new security bug which affects daemon
> mode:
>
> <http://samba.org/rsync/#security_aug04>

This is fixed now in sarge, too.

Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://www.djpig.de/

sync complete