Security hole in rsync 2.5.6 and below

Contributed by jose on 2003-12-04 from the mirrors-getting-cracked dept.

From security-announce@ , a posting by Todd Miller:

A heap overflow exists in rsync versions 2.5.6 and below that can be used by an attacker to run arbitrary code. The bug only affects rsync in server (daemon) mode and occurs *after* rsync has dropped privileges. By default, server will chroot(2) to the root of the file tree being served which significantly mitigates the impact of the bug. Installations that disable this behavior by placing "use chroot = no" in rsyncd.conf are vulnerable to attack.
Sites that do run rsync in server mode should update their rsync package as soon as possible. The rsync port has been updated in the 3.3 and 3.4 -stable branches and a new binary package has been built for OpenBSD 3.4/i386. It can be downloaded from:
ftp://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/rsync-2.5.7.tgz
For more information on the bug, see:
http://rsync.samba.org/
For more information on packages errata, see:
http://www.openbsd.org/pkg-stable.html

Rsync mirrors a lot of the software out there, so you will want to verify things that you download using checksums (as the ports tree does) or PGP/GnuPG signed archives. If you run a mirror, make sure you're up to date on security practices.

(Comments are closed)

Comments

By Anonymous Coward () on 2003-12-04 21:44

if they can do it for rsync, why can't they do it for other patches (besides kernel-level bugs)?

especially with how many openssh holes we see every year ... sure would make patching a lot easier.
Comments
1. By Anonymous Coward () on 2003-12-04 22:56
  
  rsync is not a userland tool, it is a port.
  Comments
  1. By Anonymous Coward () on 2003-12-05 11:20
    
    my bad

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (7)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]