Sebastian Krahmer of SuSE reported and integer overflow leading to a heap buffer overflow in the xattr handling code (function expand_item_list()) used by rsync. This issue affects rsync 2.6.9 and all rsync 3.x versions with xattr support enabled. Upstream released version 3.0.2: http://samba.anu.edu.au/rsync/security.html#s3_0_2 including the fix: http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff Upstream advisory also documents following mitigation to prevent exploitation of the issue on affected versions: Those running a writable rsync daemon can opt to refuse the "xattrs" option as a way to avoid the problem without an upgrade: refuse options = xattrs (If you already refuse options, be sure to append "xattrs" to your existing config parameter rather than adding another refuse directive.)
F-7,F-8 and F-9 packages released. no RHEL product seem to be affected.
rsync-2.6.9-6.fc7 has been submitted as an update for Fedora 7
rsync-2.6.9-5.fc8 has been submitted as an update for Fedora 8
This issue did not affect rsync packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5.
rsync-2.6.9-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rsync-2.6.9-6.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3060 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3047