[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] possibility of remote exploit in rsyncd



Topic
=====
remote exploit in rsync

Problem Description
===================
If rsync is running in daemon-mode and without a chroot environment it
is possible for a remote attacker to trick rsyncd into creating an
absolute pathname while sanitizing it.
As a result it is possible to read/write from/to files outside the
rsync directory (CAN-2004-0792).

Affected Versions
=================
rsync-2.6.2 and earlier

Workaround
==========
Keep the chroot-option of rsyncd enabled or avoid the daemon-mode
and use SSH as transport channel.

Solution
========
upgrade to rsync-2.6.3pre1 or a patched version for your distribution.

SuSE-8.1
--------
rpm -Fvh rsync-2.6.2-25.i586.rpm

SuSE-8.2
--------
rpm -Fvh rsync-2.6.2-26.i586.rpm

SuSE-9.0
--------
rpm -Fvh rsync-2.6.2-26.i586.rpm

SuSE-9.1
--------
rpm -Fvh rsync-2.6.2-8.9.i586.rpm

SFU-1.0 (RedHat 7.3)
--------------------
[packages available from ftp://ftp.sfu.ca/pub/linux/7.3/RPMS/]

rpm -Fvh rsync-2.5.7-2.7x.i386.rpm

Debian 3.0 (woody)
------------------
upgrade to rsync_2.5.5-0.6_i386.deb

Mandrake 9.1
------------
rpm -Fvh rsync-2.5.7-0.3.91mdk.i586.rpm

Mandrake 9.2
------------
rpm -Fvh rsync-2.5.7-0.3.92mdk.i586.rpm

Mandrake 10.0
-------------
rpm -Fvh rsync-2.6.0-1.2.100mdk.i586.rpm

Fedora Core 1
-------------
rpm -Fvh rsync-2.5.7-5.fc1.1.i386.rpm

Fedora Core 2
-------------
rpm -Fvh rsync-2.6.2-1.fc2.0.i386.rpm