TUCoPS :: Linux :: Red Hat/Fedora :: ciacm035.txt

Red Hat Linux "rsync" Vulnerability

Privacy and Legal Notice

[CIAC] INFORMATION BULLETIN

M-035: Red Hat Linux "rsync" Vulnerability

[Red Hat Security Advisory RHSA-2002:018-10]

January 31, 2002 18:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           The "rsync" package contains several signed/unsigned
                    bugs in its I/O functions which are remotely
                    exploitable.
 PLATFORM:          Red Hat Linux 6.2 - alpha, i386, sparc
                    Red Hat Linux 7.0 - alpha, i386
                    Red Hat Linux 7.1 - alpha, i386, ia64
                    Red Hat Linux 7.2 - i386, ia64
 DAMAGE:            A remote user can crash the "rsync" server/client and
                    execute code as the user running the "rsync" server or
                    client.
 SOLUTION:          It is strongly recommended that all users of "rsync"
                    upgrade to the fixed packages.
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is HIGH. The "rsync" tool is used for
 ASSESSMENT:        mirroring directory structures across machines and is
                    widely used.
  ------------------------------------------------------------------------

 LINKS:
   CIAC BULLETIN:http://www.ciac.org/ciac/bulletins/m-035.shtml
   ORIGINAL      https://www.redhat.com/support/errata/RHSA-2002-018.html
 BULLETIN:
  ------------------------------------------------------------------------

[***** Start Red Hat Security Advisory RHSA-2002:018-10 *****]

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New rsync packages available
Advisory ID:       RHSA-2002:018-10
Issue date:        2002-01-23
Updated on:        2002-01-30
Product:           Red Hat Linux
Keywords:          rsync signed unsigned daemon
Cross references:
Obsoletes:
---------------------------------------------------------------------

1. Topic:

New rsync packages are available; these fix a remotely exploitable problem
in the I/O functions. These include the security patch from the recently
released rsync-2.5.2. It is strongly recommended that all users of rsync
upgrade to the fixed
packages.

2002-01-28: There was an error in the original bugfix patch for the
security problem - the new rsync could fail under some circumstances. This
has been fixed in a new build.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386, ia64

3. Problem description:

rsync is a powerful tool used for mirroring directory structures across
machines.  rsync has been found to contain several signed/unsigned bugs in
its I/O functions which are remotely exploitable.   A remote user can crash
the rsync server/client and execute code as the user running the rsync
server or client.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0048 to this issue.

All users of rsync should upgrade their packages.  In addition rsync server
administrators should consider using the "use chroot", "uid",  and "read
only" options, which can significantly reduce the impact of a security
problem in rsync or elsewhere.

Thanks go to Sebastian Krahmer for providing a patch for this vulnerability
and to Andrew Tridgell and Martin Pool for their rapid response.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

58874 - New rsync package corrupts files during transfer.
58878 - rsync segfaults

6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/rsync-2.4.6-1.6.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/rsync-2.4.6-1.6.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/rsync-2.4.6-1.6.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/rsync-2.4.6-1.6.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/rsync-2.4.6-10.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/rsync-2.4.6-10.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/rsync-2.4.6-10.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/rsync-2.4.6-10.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/rsync-2.4.6-10.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/rsync-2.4.6-10.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/rsync-2.4.6-10.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/rsync-2.4.6-10.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/rsync-2.4.6-10.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/rsync-2.4.6-10.ia64.rpm

7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
3b33976775af0d04ce639915e5c7cb63 6.2/en/os/SRPMS/rsync-2.4.6-1.6.src.rpm
418e264b0ba45fb9d16deff259e462c4 6.2/en/os/alpha/rsync-2.4.6-1.6.alpha.rpm
441409bda25e79567d4a587994b84d76 6.2/en/os/i386/rsync-2.4.6-1.6.i386.rpm
35abb7066b5e5b7092465c33dd24085d 6.2/en/os/sparc/rsync-2.4.6-1.6.sparc.rpm
ec10c0deb84328cc553449f4330f1cfd 7.0/en/os/SRPMS/rsync-2.4.6-10.src.rpm
b756d3ddf8b2d34d5fe7c6b1a4c1d043 7.0/en/os/alpha/rsync-2.4.6-10.alpha.rpm
2e37e09c1f55d4d825e748a4a2005698 7.0/en/os/i386/rsync-2.4.6-10.i386.rpm
ec10c0deb84328cc553449f4330f1cfd 7.1/en/os/SRPMS/rsync-2.4.6-10.src.rpm
b756d3ddf8b2d34d5fe7c6b1a4c1d043 7.1/en/os/alpha/rsync-2.4.6-10.alpha.rpm
2e37e09c1f55d4d825e748a4a2005698 7.1/en/os/i386/rsync-2.4.6-10.i386.rpm
7895ca8e94476fe4868c07dad2f079ae 7.1/en/os/ia64/rsync-2.4.6-10.ia64.rpm
ec10c0deb84328cc553449f4330f1cfd 7.2/en/os/SRPMS/rsync-2.4.6-10.src.rpm
2e37e09c1f55d4d825e748a4a2005698 7.2/en/os/i386/rsync-2.4.6-10.i386.rpm
7895ca8e94476fe4868c07dad2f079ae 7.2/en/os/ia64/rsync-2.4.6-10.ia64.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0048

Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

[***** End Red Hat Security Advisory RHSA-2002:018-10 *****]

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the
information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH