Contributed by jose on from the mirrors-getting-cracked dept.
A heap overflow exists in rsync versions 2.5.6 and below that can be used by an attacker to run arbitrary code. The bug only affects rsync in server (daemon) mode and occurs *after* rsync has dropped privileges. By default, server will chroot(2) to the root of the file tree being served which significantly mitigates the impact of the bug. Installations that disable this behavior by placing "use chroot = no" in rsyncd.conf are vulnerable to attack.Rsync mirrors a lot of the software out there, so you will want to verify things that you download using checksums (as the ports tree does) or PGP/GnuPG signed archives. If you run a mirror, make sure you're up to date on security practices.
Sites that do run rsync in server mode should update their rsync package as soon as possible. The rsync port has been updated in the 3.3 and 3.4 -stable branches and a new binary package has been built for OpenBSD 3.4/i386. It can be downloaded from:
For more information on the bug, see:
For more information on packages errata, see:
(Comments are closed)