Bug 1515735 (CVE-2017-15994)

Summary: CVE-2017-15994 rsync: Mishandles archaic checksums
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code, hobbes1069, luhliari, mruprich, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-19 16:03:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1511412, 1511413, 1511414    
Bug Blocks: 1515738    

Description Andrej Nemec 2017-11-21 09:50:19 UTC 
It was found that rsync mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions.

Upstream patches:

https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3
https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55
https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b
Comment 1 Andrej Nemec 2017-11-21 09:50:54 UTC 
Created rsync tracking bugs for this issue:

Affects: fedora-all [bug 1511414]


Created rsync-bpc tracking bugs for this issue:

Affects: epel-7 [bug 1511413]
Affects: fedora-all [bug 1511412]
Comment 2 Richard Shaw 2017-11-21 12:55:25 UTC 
None of the commits listed will apply to rsync-bpc. Most of the code around the changes just isn't there. 

What version of rsync are they supposed to work with?
Comment 3 Andrej Nemec 2017-11-21 16:54:32 UTC 
(In reply to Richard Shaw from comment #2)
> None of the commits listed will apply to rsync-bpc. Most of the code around
> the changes just isn't there. 
> 
> What version of rsync are they supposed to work with?

It's entirely possible that rsync-bpc is not vulnerable to these issues, I did not investigate in depth.
Comment 4 Richard Shaw 2017-11-21 20:09:25 UTC 
I think it's only minimally altered to be able to pass some attributes BackupPC needs so I would think it would be, but it's only used from the server side to a client which I think makes this less of a concern.
Comment 6 Raphael Sanchez Prudencio 2017-12-19 16:06:12 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.