Bug 152712 - rsync before 2.6.1 does not properly sanitize paths + a segfault
rsync before 2.6.1 does not properly sanitize paths + a segfault
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
LEGACY, QA, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-04 11:14 EDT by Rok Papez
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:01:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:24:53 EST
CAN-2004-0426:

rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allows remote attackers to
write files outside of the module's path.

This seems to be the fix:
--- rsync-2.5.5.orig/options.c
+++ rsync-2.5.5/options.c
@@ -21,6 +21,8 @@
 #include "rsync.h"
 #include "popt.h"
 
+extern int sanitize_paths;
+
 int make_backups = 0;
 
 /**
@@ -766,6 +768,15 @@
 
 	if (opt_ignore_existing && am_sender) 
 		args[ac++] = "--ignore-existing";
+
+	if (sanitize_paths) {
+		if (tmpdir)
+			sanitize_path(tmpdir, NULL);
+		if (compare_dest)
+			sanitize_path(compare_dest, NULL);
+		if (backup_dir)
+			sanitize_path(backup_dir, NULL);
+	}
 
 	if (tmpdir) {
 		args[ac++] = "--temp-dir";

================================
Test case (exploit) is needed



------- Additional Comments From rok.papez@lugos.si 2004-05-04 11:20:14 ----

New rpms with:
- Fix for segfault when RSYNC_PROXY port part is too long
- Fix for CAN-2004-0426: not properly sanitizing paths

http://rok.iprom.si/~rok/fedora_legacy/
661f9891f471e213245ffe9e06b3c8e7  rsync-2.5.7-1.legacy.9.i386.rpm
e1e40246c452d41b17f3392b095e2c50  rsync-2.5.7-1.legacy.9.src.rpm

Please QA! An explot for testing CAN-2004-0426 would be very appreciated :).



------- Additional Comments From rok.papez@lugos.si 2004-05-04 11:36:38 ----

*** Bug 1568 has been marked as a duplicate of this bug. ***



------- Additional Comments From skvidal@phy.duke.edu 2004-05-04 19:31:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
md5sum checks out
patch matches recommendation for 2.5.X on rsync-list
patch makes sense
package builds cleanly on rhl9
daemon continues to work after build
looks good to me
wouldn't mind seeing a POC exploit either, though.
PUBLISH
sha1sum:
bf387b415c74964d455fadc9816c490f53ba4a03  rsync-2.5.7-1.legacy.9.src.rpm
md5sum
e1e40246c452d41b17f3392b095e2c50  rsync-2.5.7-1.legacy.9.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAmHwq1Aj3x2mIbMcRAn52AJ9mhXc0vRR7TpZuzeAC3TbRfvJYbQCeOWaJ
rhd1O6IUKUlrup40x1cX5Jw=
=3k4U
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal@phy.duke.edu 2004-05-04 19:32:19 ----

Adding Jesse for legacy tracking



------- Additional Comments From skvidal@phy.duke.edu 2004-05-04 19:37:01 ----

http://lists.samba.org/archive/rsync/2004-May/009372.html

including reference to patch from rsync archives.



------- Additional Comments From skvidal@phy.duke.edu 2004-05-04 20:01:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
built the same package for rhl 7x (should work for all)
39a53458375eb5e3f48d5e965c6cf80902a402c2  rsync-2.5.7-1.legacy.7x.i386.rpm
64025119ded6bf02289e30ac92f693112865d7fd  rsync-2.5.7-1.legacy.7x.src.rpm
those are the sha1sums
available at:
http://linux.duke.edu/~skvidal/RPMS/legacy/rsync/7x/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAmIMq1Aj3x2mIbMcRAiucAJ9GF/qaTpZV7WizqGmRaxOwmO6vpACfWCg/
a3giRSYBffUEbB0vPOsQ8UE=
=gwV0
-----END PGP SIGNATURE-----




------- Additional Comments From misterbawb@gmail.com 2004-05-05 10:22:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

rsync-2.5.7.tar.gz, rsync-2.5.6-signal.patch, and rsync.xinetd sha1sums match
src.rpm from RHSA-2003:398-07

rsync-2.5.7-sanitize-paths.diff matches the diff between debian's
rsync_2.5.5-0.4.diff.gz and rsync_2.5.5-0.2.diff.gz

rsync-2.5.7-env-proxy-segfault.diff makes sense

spec file diff since RHSA-2003:398-07 contains only the patches, changelog, and
release number update

sha1sums for the packages built for rh8, available at
http://mirror.datapipe.net/local/fedoralegacy/

77f8c43891078c6dc25d0e0b353f3142ce4898d1  rsync-2.5.7-1.legacy.8.i386.rpm
ddb7b017e92dbad6a40d2a9c3ace54895647000b  rsync-2.5.7-1.legacy.8.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAmUzfaiZhT6XVAwURAmNnAKC14bM12zXR0UOIrT4sNJ0bcJWx2wCcDuWk
f6qEj8JfhZ01uLHbr13rDjo=
=17BT
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-05-06 07:02:50 ----

Tested rsync-2.5.7-1.legacy.7x.src.rpm on a Redhat 7.3 machine.

The cpmpilation works ok.
Installation works ok.
And the same files are installed as in the original rsync rpm.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-06 10:50:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rebuilds ok. Installs ok. Runs ok (just running commandline rsync, not testing
network).

PUBLISH

sha1sum -b rsync-2.5.7-1.legacy.7x.src.rpm 
64025119ded6bf02289e30ac92f693112865d7fd *rsync-2.5.7-1.legacy.7x.src.rpm

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAmpYeSY7s7uPf/IURAqfVAKDQV7DFYHxLB48NL02kOTACJ24eRACbB5oS
UCwZuvvl++ZZYm3k3E0Oqww=
=kZe8
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-05-06 19:28:57 ----

missing buildreq libtool.  Will build anyway.



------- Additional Comments From villegas@math.gatech.edu 2004-05-10 11:38:50 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 
This is for rsync-2.5.7-1.legacy.9.src.rpm available at: 
 
http://rok.iprom.si/~rok/fedora_legacy/ 
 
with md5sum: 
 
e1e40246c452d41b17f3392b095e2c50  rsync-2.5.7-1.legacy.9.src.rpm 
 
and sha1sum: 
 
bf387b415c74964d455fadc9816c490f53ba4a03  rsync-2.5.7-1.legacy.9.src.rpm 
 
0. This sums check fine with others mentioned on the bug report. 
1. Sources match the ones of RH9 
2. - Patches are clean 
   - Spec is based on RH9, and looks clean except for release number, which 
        doesn't match the legacy release number scheme. 
3. Builds clean 
4. Installs clean 
5. rsync client works fine 
6. rsync server not tested 
 
I'm posting a modified srpm to fit the release number scheme of FL (point 2 above): 
 
http://www.math.gatech.edu/~villegas/linux/fedora-legacy/ 
 
md5: 
 
a128d3d9232b1ede3af21a2b24012a5a  rsync-2.5.7-0.9.0.legacy.9.src.rpm 
 
sha1: 
 
25b99cce316f80dbdc16c044e9e339a070228d0d  rsync-2.5.7-0.9.0.legacy.9.src.rpm 
 
The srpm is also signed by my fedora key (7536BB51) available at the same URL and 
the key servers. 
 
The only change on it as compared with the other one is in the release (spec file only). 
 
Carlos 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFAn/X2nACJnHU2u1ERAnFgAJ0alEreM64rQQ/ThVWjzE5oys+3hgCdEEb6 
hxDfuv+SqiEXfjIVpD8XPHY= 
=ucWK 
-----END PGP SIGNATURE----- 
 



------- Additional Comments From villegas@math.gatech.edu 2004-05-10 11:48:26 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 
Hmm... bugzilla damaged the signature on my report 
(comment 11), so I posted the signed comment at the same 
URL as: 
 
http://www.math.gatech.edu/~villegas/linux/fedora-legacy/QA-report.txt 
 
Hope this one comes clean. 
 
Carlos 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFAn/hRnACJnHU2u1ERArdYAKDVdsMjISkOpHqisG1p4X6IicEmIgCfU+f3 
5oORmj3OdocS3566evnxmgw= 
=Wm55 
-----END PGP SIGNATURE----- 
 



------- Additional Comments From jkeating@j2solutions.net 2004-05-31 11:21:21 ----

Pushed to updates-testing.

http://download.fedoralegacy.org/redhat/
 
d4d63c594b993ec4194b2b1145abe71348e984e8 
7.3/updates-testing/SRPMS/rsync-2.5.7-1.legacy.7x.src.rpm
c7960f3fdf5a053c459ee063651470fa95a5dc00 
7.3/updates-testing/i386/rsync-2.5.7-1.legacy.7x.i386.rpm
 
36ab488484efbb6a6c7e03b06b6cc3f9810bdcae 
9/updates-testing/SRPMS/rsync-2.5.7-1.legacy.9.src.rpm
341b5116c4a761b212d00a15e5262a6dc6ca17e3 
9/updates-testing/i386/rsync-2.5.7-1.legacy.9.i386.rpm



------- Additional Comments From rmy@tigress.co.uk 2004-06-17 23:54:50 ----

-----BEGIN PGP SIGNED MESSAGE-----

I've installed the rh7x RPM on four machines.  Everything seems to
work as expected, both as client and server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBQNK7rB2/joqPEUdFAQEIvwQAuzpYtx/OF7Ow6139yCepR/8TBUBzL/rE
h3wCl6WbdZk3rkkaGCQBR3Up0iyelE0JnVHx/YrA293CId/FghKTU/JSKVCtVspz
MNMPQVaqSSzROng6SCodMqHR5tKGNouduQBdYZxYUgBxnGDUE+NBXJxmkGHcgvvD
hxoA5Lbl6bI=
=zQyN
-----END PGP SIGNATURE-----



------- Additional Comments From ckelley@ibnads.com 2004-09-09 06:08:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
c7960f3fdf5a053c459ee063651470fa95a5dc00  rsync-2.5.7-1.legacy.7x.i386.rpm
d4d63c594b993ec4194b2b1145abe71348e984e8  rsync-2.5.7-1.legacy.7x.src.rpm
 
Package builds just fine
I tested out the installed binary by doing a massive rsync with
a lot of changes (both acting as server/client); it all works
just fine.
 
VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBQIANyQ+yTHz+jJkRAoC0AKCZYHwF85I3Wu4W4QutOIh9fS6CKwCbBy9w
fpj5JETdcXezRkrFaf01l5M=
=kYj5
-----END PGP SIGNATURE-----




------- Additional Comments From madhatter@teaparty.net 2004-09-12 06:34:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
341b5116c4a761b212d00a15e5262a6dc6ca17e3  rsync-2.5.7-1.legacy.9.i386.rpm
 
package installed just fine.  rsync'ing directories works fine as both
sender and receiver (using ssh as underlying transport mechanism).
 
i know this package has been superceded but i've not done a VERIFY before,
so i though it worth doing this by way of practise.
 
VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBRHn+ePtvKV31zw4RAkNcAJ97A5u3nDtXL3OypCXHsjOgXRv2lQCgnlo0
ZYXHr8vlunMUMhmf6GMzews=
=Olp1
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 -------

This bug previously known as bug 1569 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1569
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.