Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 648691 Details for
Bug 877279
CVE-2012-2251 rssh: insufficient filtering of -e option for rsync [fedora-all]
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
debian patch for issue
file_877279.txt (text/plain), 2.55 KB, created by
James Clawson
on 2012-11-20 17:54:46 UTC
(
hide
)
Description:
debian patch for issue
Filename:
MIME Type:
Creator:
James Clawson
Created:
2012-11-20 17:54:46 UTC
Size:
2.55 KB
patch
obsolete
>commit 384fabd5319770b627f90ce7e1d6d55a09a42d25 >Author: Russ Allbery <rra@debian.org> >Date: Tue Nov 20 09:05:46 2012 -0800 > > Fix security vulnerability in rsync option validation > > Ensure that --server on the rsync command line does not come after > --, since it will then be ignored by the server, allowing the > client to run rsync commands that should not be permitted. > > Check for the allowable patterns of -e options rather than trying > to catch invalid -e options. This should be unnecessary since > -e is never parsed as a shell if --server is given, but better safe > than sorry. > >diff --git a/util.c b/util.c >index a3e9829..9e79000 100644 >--- a/util.c >+++ b/util.c >@@ -206,21 +206,32 @@ static int rsync_e_okay( char **vec ) > int server = FALSE; > int e_found = FALSE; > >- static const char pattern[] = "^-([^-][^ ]*)?e[^.0-9]"; >- > /* >- * This is more complicated than it looks because we don't want to >- * trigger on the e in --server, but we do want to allow the common >- * case of -ltpre.iL (which contains -e.). >+ * rsync will send -e, followed by either just "." (meaning no special >+ * protocol) or "N.N" (meaning a pre-release protocol version), >+ * followed by some number of alphabetic flags indicating various >+ * supported options. There may be other options between - and the e, >+ * but -e will always be the last option in the string. A typical >+ * option passed by the client is "-ltpre.iL". >+ * >+ * Note that if --server is given, this should never be parsed as a >+ * shell, but we'll tightly verify it anyway, just in case. >+ * >+ * This regex matches the acceptable flags containing -e, so if it >+ * does not match, the command line should be rejected. > */ >+ static const char pattern[] >+ = "^-[^a-df-zA-Z]*e[0-9]*\.[0-9]*[a-zA-Z]*$"; >+ > if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ > return FALSE; > } > while (vec && *vec){ >+ if ( strcmp(*vec, "--") == 0 ) break; > if ( strcmp(*vec, "--server") == 0 ) server = TRUE; > if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){ > e_found = TRUE; >- if ( regexec(&re, *vec, 0, NULL, 0) == 0 ){ >+ if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){ > regfree(&re); > return FALSE;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=648691">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 877279
: 648691 |
648713
|
660999