Red Hat Bugzilla – Bug 111474
CAN-2003-0962 rsync remote exploit
Last modified: 2014-08-31 19:25:37 EDT
A heap overflow bug exists in Rsync versions prior to 2.5.7. On
machines where the Rsync server has been enabled, a remote attacker
could use this flaw to execute arbitrary code as an unprivileged user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0962 to this issue.
Our upgrade erratum packages will contain version 2.5.7 of Rsync which
is not vulnerable to this issue.
The Rsync server is disabled (off) by default in Red Hat Enterprise
Linux. To check if the Rsync server has been enabled (on), run:
/sbin/chkconfig --list rsync
If the Rsync server has been enabled but is not required it can be
disabled by running as root:
/sbin/chkconfig rsync off
RHSA-2003:399 in progress
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.