LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

July 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA July 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Moderate: rsync on SL5.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Wed, 27 Jul 2011 11:34:42 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (114 lines)

This errata has been pulled from the repositories.

There is a bug in the 3.0.6-4.el5 version of rsync.

rsync commands of the form

    rsync <options> localdir remotehost:remotedir
or
    rsync <options> remotehost:remotedir localdir

no longer work, since the remotehost isn't passed along properly
unless there's also a username specified, therefore now require the form

    rsync <options> localdir username@remotehost:remotedir
or
    rsync <options> username@remotehost:remotedir localdir

A fix for this bug is in the works and will be provided as soon as it is 
  available.

Troy


On 07/26/2011 03:34 PM, Troy J Dawson wrote:
> Synopsis:    Moderate: rsync security, bug fix, and enhancement update
> Issue Date:  2011-07-21
> CVE Numbers: CVE-2007-6200
>
>
> rsync is a program for synchronizing files over a network.
>
> A flaw was found in the way the rsync daemon handled the "filter",
> "exclude", and "exclude from" options, used for hiding files and
> preventing access to them from rsync clients. A remote attacker could
> use this flaw to bypass those restrictions by using certain command line
> options and symbolic links, allowing the attacker to overwrite those
> files if they knew their file names and had write access to them.
> (CVE-2007-6200)
>
> Note: This issue only affected users running rsync as a writable daemon:
> "read only" set to "false" in the rsync configuration file (for example,
> "/etc/rsyncd.conf"). By default, this option is set to "true".
>
> This update also fixes the following bugs:
>
> * The rsync package has been upgraded to upstream version 3.0.6, which
> provides a number of bug fixes and enhancements over the previous version.
>
> * When running an rsync daemon that was receiving files, a deferred
> info, error or log message could have been sent directly to the sender
> instead of being handled by the "rwrite()" function in the generator.
> Also, under certain circumstances, a deferred info or error message from
> the receiver could have bypassed the log file and could have been sent
> only to the client process. As a result, an "unexpected tag 3" fatal
> error could have been displayed. These problems have been fixed in this
> update so that an rsync daemon receiving files now works as expected.
>
> * Prior to this update, the rsync daemon called a number of
> timezone-using functions after doing a chroot. As a result, certain C
> libraries were unable to generate proper timestamps from inside a
> chrooted daemon. This bug has been fixed in this update so that the
> rsync daemon now calls the respective timezone-using functions prior to
> doing a chroot, and proper timestamps are now generated as expected.
>
> * When running rsync under a non-root user with the "-A" ("--acls")
> option and without using the "--numeric-ids" option, if there was an
> Access Control List (ACL) that included a group entry for a group that
> the respective user was not a member of on the receiving side, the
> "acl_set_file()" function returned an invalid argument value ("EINVAL").
> This was caused by rsync mistakenly mapping the group name to the Group
> ID "GID_NONE" ("-1"), which failed. The bug has been fixed in this
> update so that no invalid argument is returned and rsync works as expected.
>
> * When creating a sparse file that was zero blocks long, the "rsync
> - --sparse" command did not properly truncate the sparse file at the end
> of the copy transaction. As a result, the file size was bigger than
> expected. This bug has been fixed in this update by properly truncating
> the file so that rsync now copies such files as expected.
>
> * Under certain circumstances, when using rsync in daemon mode, rsync
> generator instances could have entered an infinitive loop, trying to
> write an error message for the receiver to an invalid socket. This
> problem has been fixed in this update by adding a new sibling message:
> when the receiver is reporting a socket-read error, the generator will
> notice this fact and avoid writing an error message down the socket,
> allowing it to close down gracefully when the pipe from the receiver closes.
>
> * Prior to this update, there were missing deallocations found in the
> "start_client()" function. This bug has been fixed in this update and no
> longer occurs.
>
> All users of rsync are advised to upgrade to this updated package, which
> resolves these issues and adds enhancements.
>
> SL5:
>     i386
>        rsync-3.0.6-4.el5.i386.rpm
>        rsync-debuginfo-3.0.6-4.el5.i386.rpm
>     x86_64
>        rsync-3.0.6-4.el5.x86_64.rpm
>        rsync-debuginfo-3.0.6-4.el5.x86_64.rpm
>
> - Scientific Linux Development Team
>
>
>


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV