Debian Bug report logs - #265662
rsync: directory traversal in daemon mode

version graph

Package: rsync; Maintainer for rsync is Paul Slootman <paul@debian.org>; Source for rsync is src:rsync.

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Sat, 14 Aug 2004 11:03:04 UTC

Severity: grave

Tags: fixed-upstream, patch, sarge, security, upstream

Found in version 2.6.2-2

Fixed in version rsync/2.6.2-3

Done: Frank Lichtenheld <djpig@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#265662; Package rsync. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Paul Slootman <paul@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rsync: directory traversal in daemon mode
Date: Sat, 14 Aug 2004 12:48:13 +0200
Package: rsync
Version: 2.6.2-2
Severity: grave
Tags: security upstream fixed-upstream patch
Justification: user security hole

The rsync team has announced a new security bug which affects daemon
mode:

  <http://samba.org/rsync/#security_aug04>

The patch is reproduced below (module whitespace)

--- orig/util.c	2004-04-27 12:59:37 -0700
+++ util.c	2004-08-11 23:37:27 -0700
@@ -743,7 +743,7 @@
 				allowdotdot = 1;
 			} else {
 				p += 2;
-				if (*p == '/')
+				while (*p == '/')
 					p++;
 				if (sanp != start) {
 					/* back up sanp one level */



Reply sent to Paul Slootman <paul@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 265662-close@bugs.debian.org (full text, mbox):

From: Paul Slootman <paul@debian.org>
To: 265662-close@bugs.debian.org
Subject: Bug#265662: fixed in rsync 2.6.2-3
Date: Sat, 14 Aug 2004 08:32:02 -0400
Source: rsync
Source-Version: 2.6.2-3

We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive:

rsync_2.6.2-3.diff.gz
  to pool/main/r/rsync/rsync_2.6.2-3.diff.gz
rsync_2.6.2-3.dsc
  to pool/main/r/rsync/rsync_2.6.2-3.dsc
rsync_2.6.2-3_i386.deb
  to pool/main/r/rsync/rsync_2.6.2-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 265662@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Slootman <paul@debian.org> (supplier of updated rsync package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 14 Aug 2004 14:11:22 +0200
Source: rsync
Binary: rsync
Architecture: source i386
Version: 2.6.2-3
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Paul Slootman <paul@debian.org>
Description: 
 rsync      - fast remote file copy program (like rcp)
Closes: 265662
Changes: 
 rsync (2.6.2-3) unstable; urgency=high
 .
   * security: directory traversal in daemon mode fix
     closes:#265662
Files: 
 a7eb3ef40676966f63e8199197be857e 543 net optional rsync_2.6.2-3.dsc
 76bfa128544419f87f121c2c3ccb035b 44797 net optional rsync_2.6.2-3.diff.gz
 30620f52cb52f32f4c2d75f55f045b4a 161690 net optional rsync_2.6.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBHgI3utvvqbTW3hMRAomLAJsFSW0bLseN+u1X6hUlCw+/bT7tqwCfTB8n
tmeZGOxTPqp29R3+zWxbvxg=
=APck
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#265662; Package rsync. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>. Full text and rfc822 format available.

Message #15 received at 265662@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 265662@bugs.debian.org
Subject: Re: Bug#265662 acknowledged by developer (Bug#265662: fixed in rsync 2.6.2-3)
Date: Sat, 14 Aug 2004 14:55:21 +0200
* Debian Bug Tracking System:

>  rsync (2.6.2-3) unstable; urgency=high
>  .
>    * security: directory traversal in daemon mode fix
>      closes:#265662

What about woody?



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#265662; Package rsync. Full text and rfc822 format available.

Acknowledgement sent to Paul Slootman <paul@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 265662@bugs.debian.org (full text, mbox):

From: Paul Slootman <paul@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 265662@bugs.debian.org
Subject: Re: Bug#265662: acknowledged by developer (Bug#265662: fixed in rsync 2.6.2-3)
Date: Sat, 14 Aug 2004 19:53:40 +0200
On Sat 14 Aug 2004, Florian Weimer wrote:
> 
> >  rsync (2.6.2-3) unstable; urgency=high
> >  .
> >    * security: directory traversal in daemon mode fix
> >      closes:#265662
> 
> What about woody?

Being worked on by the security team.
You could have notified debian-security-private@lists.debian.org
yourself directly, I now did it after seeing your bug report.


Paul Slootman



Bug reopened, originator not changed. Request was from "J.H.M. Dassen (Ray)" <fsmla@xinara.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from "J.H.M. Dassen (Ray)" <fsmla@xinara.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Frank Lichtenheld <djpig@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 265662-done@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 265662-done@bugs.debian.org
Subject: Re: Bug#265662: rsync: directory traversal in daemon mode
Date: Mon, 23 Aug 2004 22:28:15 +0200
On Sat, Aug 14, 2004 at 12:48:13PM +0200, Florian Weimer wrote:
> Package: rsync
> Version: 2.6.2-2
> Severity: grave
> Tags: security upstream fixed-upstream patch
> Justification: user security hole
> 
> The rsync team has announced a new security bug which affects daemon
> mode:
> 
>   <http://samba.org/rsync/#security_aug04>

This is fixed now in sarge, too.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:57:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.