diff -u rsync-3.1.0/debian/changelog rsync-3.1.0/debian/changelog --- rsync-3.1.0/debian/changelog +++ rsync-3.1.0/debian/changelog @@ -1,3 +1,17 @@ +rsync (3.1.0-2ubuntu0.4) trusty-security; urgency=medium + + * SECURITY UPDATE: receive_xattr function does not check + for '\0' character allowing denial of service attacks + - debian/patches/CVE-2017-16548.patch: enforce trailing + \0 when receiving xattr values in xattrs.c. + - CVE-2017-16548 + * SECURITY UPDATE: Allows remote attacker to bypass argument + - debian/patches/CVE-2018-5764.patch: Ignore --protect-args + when already sent by client in options.c. + - CVE-2018-5764 + + -- Leonidas S. Barbosa Thu, 18 Jan 2018 17:00:13 -0300 + rsync (3.1.0-2ubuntu0.3) trusty-security; urgency=medium * SECURITY UPDATE: bypass intended access restrictions only in patch2: unchanged: --- rsync-3.1.0.orig/debian/patches/CVE-2017-16548.patch +++ rsync-3.1.0/debian/patches/CVE-2017-16548.patch @@ -0,0 +1,25 @@ +From 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 Mon Sep 17 00:00:00 2001 +From: Wayne Davison +Date: Sun, 5 Nov 2017 11:33:15 -0800 +Subject: [PATCH] Enforce trailing \0 when receiving xattr name values. Fixes + bug 13112. + +--- + xattrs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: rsync-3.1.0/xattrs.c +=================================================================== +--- rsync-3.1.0.orig/xattrs.c ++++ rsync-3.1.0/xattrs.c +@@ -694,6 +694,10 @@ void receive_xattr(int f, struct file_st + out_of_memory("receive_xattr"); + name = ptr + dget_len + extra_len; + read_buf(f, name, name_len); ++ if (name_len < 1 || name[name_len-1] != '\0') { ++ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n"); ++ exit_cleanup(RERR_FILEIO); ++ } + if (dget_len == datum_len) + read_buf(f, ptr, dget_len); + else { only in patch2: unchanged: --- rsync-3.1.0.orig/debian/patches/CVE-2018-5764.patch +++ rsync-3.1.0/debian/patches/CVE-2018-5764.patch @@ -0,0 +1,38 @@ +From 7706303828fcde524222babb2833864a4bd09e07 Mon Sep 17 00:00:00 2001 +From: Jeriko One +Date: Mon, 20 Nov 2017 14:42:30 -0800 +Subject: [PATCH] Ignore --protect-args when already sent by client + +In parse_arguments when --protect-args is encountered the function exits +early. The caller is expected to check protect_args, and recall +parse_arguments setting protect_args to 2. This patch prevents the +client from resetting protect_args during the second pass of +parse_arguments. This prevents parse_arguments returning early the +second time before it's able to sanitize the arguments it received. +--- + options.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: rsync-3.1.0/options.c +=================================================================== +--- rsync-3.1.0.orig/options.c ++++ rsync-3.1.0/options.c +@@ -1292,6 +1292,7 @@ int parse_arguments(int *argc_p, const c + const char *arg, **argv = *argv_p; + int argc = *argc_p; + int opt; ++ int orig_protect_args = protect_args; + + if (ref && *ref) + set_refuse_options(ref); +@@ -1885,6 +1886,10 @@ int parse_arguments(int *argc_p, const c + if (fuzzy_basis > 1) + fuzzy_basis = basis_dir_cnt + 1; + ++ /* Don't let the client reset protect_args if it was already processed */ ++ if (orig_protect_args == 2 && am_server) ++ protect_args = orig_protect_args; ++ + if (protect_args == 1 && am_server) + return 1; +