Bug 880177 (CVE-2012-2252)
Summary: | CVE-2012-2252 rssh: incorrect filtering of rsync --rsh command line option | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | jlieskov, security-response-team, xavier | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | rssh 2.3.4 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-05-08 17:38:50 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 880991, 880992 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tomas Hoger
2012-11-26 12:44:55 UTC
Fixed now in upstream rssh 2.3.4. http://sourceforge.net/mailarchive/message.php?msg_id=30153369 http://www.debian.org/security/2012/dsa-2578 Created attachment 653346 [details] Updated rsync 3 patch from Debian Source: http://patch-tracker.debian.org/patch/series/view/rssh/2.3.3-6/fixes/rsync-protocol.diff Upstream fix for this issue replaced: if ( strstr(*cl, "--rsh=" ) ){ check by a: if ( strstr(*cl, "--rsh" ) ){ in check_command_line() in util.c. In Fedora packages, where we already have a patch adding rsync 3 support, updated rsync-protocol.diff patch from Debian rssh packages should be considered instead (which checks both -e and --rsh in the rsync_e_okay()). Created rssh tracking bugs for this issue Affects: fedora-all [bug 880991] Affects: epel-all [bug 880992] rssh-2.3.4-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Other references: http://archives.neohapsis.com/archives/bugtraq/2012-11/0101.html http://www.securityfocus.com/bid/56708 http://osvdb.org/87926 http://secunia.com/advisories/51307 http://secunia.com/advisories/51343 http://xforce.iss.net/xforce/xfdb/80335 rssh-2.3.4-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |