Bug 152764

Summary: CAN-2004-0792 rsync path sanitizing bug
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: rsyncAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch, sheltren, simon
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://samba.org/rsync/#security_aug04
Whiteboard: LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-05 23:19:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:26:38 UTC 
Directory traversal vulnerability in the sanitize_path function in util.c for
rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or
write certain files.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0792
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130050
http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00023.html
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130044



------- Additional Comments From michal 2004-08-26 07:10:07 ----

Created an attachment (id=818)
a patch for CAN-2004-0792

This is an "upstream" patch re-diffed on the top of rsync-2.5.7-1.legacy.7x
(which is fixing other problems and waiting from the beginning of May - see
bug #1569).



------- Additional Comments From dwb7.edu 2004-08-30 08:15:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Build packages for RH7.3 using included patch in the bug report:

sha1sum -b *
1e6654d3140d288c9bb7c4ef6cf17a4a599d7ab5 *rsync-2.5.7-2.legacy.7x.i386.rpm
150854cb79639eabd67e6d433e6e6eda3a0a1850 *rsync-2.5.7-2.legacy.7x.src.rpm

Download from:
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/rsync

- -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBM261SY7s7uPf/IURAhyEAJ98dl9NIUPOgO0v0vX/2wtcqfhxkwCfbd5c
Z4ZRksggW7ms4UU0JhoUWPg=
=r9vx
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-01 15:26:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh9 to QA:

de1fe6952afccf95d4a859106eb9d7049f22e01f  rsync-2.5.7-2.legacy.9.i386.rpm
571be679eb3b0d6ba0d305f97451011455fcd190  rsync-2.5.7-2.legacy.9.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/rsync-2.5.7-2.legacy.9.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/rsync-2.5.7-2.legacy.9.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBNnbOLMAs/0C4zNoRAqbUAJ4uJoyJ2io3BVzh62DTQDSMIwBk9ACgkxxq
QrMRKTwk3GbDexAYIS0/3oE=
=2sOZ
-----END PGP SIGNATURE-----




------- Additional Comments From lists 2004-09-02 04:14:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Installed the rsync-2.5.7-2.legacy.9.i386.rpm on Redhat 8, worked
fine.
Built the rsync-2.5.7-2.legacy.9.src.rpm on Redhat 9, built fine,
installed with no problems and worked fine.

Matt Dickinson

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQTcqpTkPjz8v3zk4EQISNQCguFk4akDDCc9SFy0GeMeboepxtSYAnA5C
aN2t8U+TcX+oyVMCMiHHYzAZ
=LW9Y
-----END PGP SIGNATURE-----




------- Additional Comments From lists 2004-09-02 04:25:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Following better QA advice..

571be679eb3b0d6ba0d305f97451011455fcd190 
rsync-2.5.7-2.legacy.9.src.rpm
de1fe6952afccf95d4a859106eb9d7049f22e01f 
rsync-2.5.7-2.legacy.9.i386.rpm

Installed the rsync-2.5.7-2.legacy.9.i386.rpm on Redhat 8, worked
fine.
Built the rsync-2.5.7-2.legacy.9.src.rpm on Redhat 9, built fine,
installed with no problems and worked fine.

I'd go for PUBLISH on both.

Matt

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQTctGTkPjz8v3zk4EQJmFgCg3jI/LAYTGqYNjtqYiuWD5aTwDyAAoPl4
Gf/1xMzwjKdQuXfrJoHHRJFW
=s/4m
-----END PGP SIGNATURE-----




------- Additional Comments From mule 2004-09-11 17:06:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
de1fe6952afccf95d4a859106eb9d7049f22e01f  rsync-2.5.7-2.legacy.9.i386.rpm
571be679eb3b0d6ba0d305f97451011455fcd190  rsync-2.5.7-2.legacy.9.src.rpm
  
For Red Hat 9:
 
* Checked out patches for CAN-2004-0426, CAN-2004-0792 - OK
* Checked out spec file - OK
* Build from source - OK
* Install - OK
  
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQ7yhTsaUa9pp4VIRAt7WAKDwtXIE6EOOadsZxYfjICBpVi+JSQCfTaV1
lq2d4MBaJJJF4T1EZLO+eQk=
=nwBs
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-12 08:29:56 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the following package for rh73:

150854cb79639eabd67e6d433e6e6eda3a0a1850 *rsync-2.5.7-2.legacy.7x.src.rpm

- - Source matches previous release
- - Patch file looks good
- - Spec file looks good
- - Builds, installs and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRJWrLMAs/0C4zNoRAodTAJ0c9lUnJPvPCJf6B1AeYyhybHfKAwCfYT2y
SLJU1P6yakYWcVOHg52A3cg=
=ihPc
-----END PGP SIGNATURE-----




------- Additional Comments From simon 2004-09-13 12:04:44 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
QA'ed on redhat 7.3 
 
 
sha1sum -b * 
 
150854cb79639eabd67e6d433e6e6eda3a0a1850 *rsync-2.5.7-2.legacy.7x.src.rpm 
 
 
Original Package - OK 
Patches - OK 
SPEC - OK 
Build - OK 
Install - OK 
 
+PUBLISH 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBRhlRMLOCzgCQslsRAuXPAKCRq7+tJOW1bCeGo9PJpSO1yYCXigCfaCd3 
1nlzo2zbCdkyinzh1WqO1DI= 
=Xg3M 
-----END PGP SIGNATURE----- 



------- Additional Comments From marcdeslauriers 2004-09-17 13:01:52 ----

Created an attachment (id=853)
Advisory draft

Here is a draft for the advisory



------- Additional Comments From sheltren.edu 2004-09-29 09:00:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RH 9 packages from updates-testing:

rsync-2.5.7-2.legacy.9.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (0fc1468e41151867d80487ea5071c6484c879bec)
    MD5 digest: OK (b27d07becab137e59dacecd06bbc7018)
    V3 DSA signature: OK, key ID 731002fa

Package installs cleanly
Able to rsync using both with an rsync:// server and via ssh

VERIFY++
I vote for moving into updates
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWwPeKe7MLJjUbNMRAkx2AJ0V9Z+Fd7m/CMA/OMpebDK5MfIkHwCePvBr
CqW6jZD6v6bNmYYERPQIrGY=
=ppB+
-----END PGP SIGNATURE-----



------- Additional Comments From ckelley 2004-09-29 12:10:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                        
1101ad1c735a11c9be6f4d45971374a6195431d9  rsync-2.5.7-2.legacy.7x.i386.rpm
4bb344d823f423cf5c1cc64d949dd1d9408960e7  rsync-2.5.7-2.legacy.7x.src.rpm
                                                                               
                        
package builds just fine (rh73); after installing new binary pacakges,
rsync functions fine (rsync'd a legacy mirror).
 
+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBWzKnyQ+yTHz+jJkRAu/gAJ9ayFAOzTHU+nJo3XAc+R+uktfJcACeLfp9
GAS7H9meTk2lQ/wd4sgFpXo=
=k7p8
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers 2004-09-29 12:15:41 ----

Two verifies, moved to updates.



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 2003 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2003
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
a patch for CAN-2004-0792
https://bugzilla.fedora.us/attachment.cgi?action=view&id=818
Advisory draft
https://bugzilla.fedora.us/attachment.cgi?action=view&id=853

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.