Bug 1515735 (CVE-2017-15994) - CVE-2017-15994 rsync: Mishandles archaic checksums
Summary: CVE-2017-15994 rsync: Mishandles archaic checksums
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-15994
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1511412 1511413 1511414
Blocks: 1515738
TreeView+ depends on / blocked
 
Reported: 2017-11-21 09:50 UTC by Andrej Nemec
Modified: 2021-02-17 01:13 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-19 16:03:02 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-11-21 09:50:19 UTC
It was found that rsync mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions.

Upstream patches:

https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3
https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55
https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b

Comment 1 Andrej Nemec 2017-11-21 09:50:54 UTC
Created rsync tracking bugs for this issue:

Affects: fedora-all [bug 1511414]


Created rsync-bpc tracking bugs for this issue:

Affects: epel-7 [bug 1511413]
Affects: fedora-all [bug 1511412]

Comment 2 Richard Shaw 2017-11-21 12:55:25 UTC
None of the commits listed will apply to rsync-bpc. Most of the code around the changes just isn't there. 

What version of rsync are they supposed to work with?

Comment 3 Andrej Nemec 2017-11-21 16:54:32 UTC
(In reply to Richard Shaw from comment #2)
> None of the commits listed will apply to rsync-bpc. Most of the code around
> the changes just isn't there. 
> 
> What version of rsync are they supposed to work with?

It's entirely possible that rsync-bpc is not vulnerable to these issues, I did not investigate in depth.

Comment 4 Richard Shaw 2017-11-21 20:09:25 UTC
I think it's only minimally altered to be able to pass some attributes BackupPC needs so I would think it would be, but it's only used from the server side to a client which I think makes this less of a concern.

Comment 6 Raphael Sanchez Prudencio 2017-12-19 16:06:12 UTC
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.