CAN-2004-0426:

rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allows remote attackers to
write files outside of the module's path.

This seems to be the fix:
--- rsync-2.5.5.orig/options.c
+++ rsync-2.5.5/options.c
@@ -21,6 +21,8 @@
 #include "rsync.h"
 #include "popt.h"
 
+extern int sanitize_paths;
+
 int make_backups = 0;
 
 /**
@@ -766,6 +768,15 @@
 
 	if (opt_ignore_existing && am_sender) 
 		args[ac++] = "--ignore-existing";
+
+	if (sanitize_paths) {
+		if (tmpdir)
+			sanitize_path(tmpdir, NULL);
+		if (compare_dest)
+			sanitize_path(compare_dest, NULL);
+		if (backup_dir)
+			sanitize_path(backup_dir, NULL);
+	}
 
 	if (tmpdir) {
 		args[ac++] = "--temp-dir";

================================
Test case (exploit) is needed



------- Additional Comments From rok.papez 2004-05-04 11:36:37 ----



*** This bug has been marked as a duplicate of 1569 ***



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1568 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1568
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.