Debian Bug report logs - #621866
rsync: CVE-2011-1097 DoS and possibly code execution on client side

version graph

Package: rsync; Maintainer for rsync is Paul Slootman <paul@debian.org>; Source for rsync is src:rsync.

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 9 Apr 2011 20:51:31 UTC

Severity: grave

Tags: patch, security

Found in version rsync/3.0.7-2

Fixed in version 3.0.8-1

Done: Alexander Reichle-Schmehl <tolimar@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#621866; Package rsync. (Sat, 09 Apr 2011 20:51:35 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Paul Slootman <paul@debian.org>. (Sat, 09 Apr 2011 20:51:39 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: rsync: CVE-2011-1097 DoS and possibly code execution on client side
Date: Sat, 9 Apr 2011 18:32:39 +0200
[Message part 1 (text/plain, inline)]
Package: rsync
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rsync.

CVE-2011-1097[0]:
| rsync 3.x before 3.0.8, when certain recursion, deletion, and
| ownership options are used, allows remote rsync servers to cause a
| denial of service (heap memory corruption and application crash) or
| possibly execute arbitrary code via malformed data.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

More info:
https://bugzilla.samba.org/show_bug.cgi?id=7936
http://gitweb.samba.org/?p=rsync.git;a=commitdiff;h=83b94efa6b60a3ff5eee4c5f7812c617a90a03f6;hp=c8255147b06b74dad940d32f9cef5fbe17595239

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1097
    http://security-tracker.debian.org/tracker/CVE-2011-1097

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#621866; Package rsync. (Thu, 25 Aug 2011 10:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>. (Thu, 25 Aug 2011 10:15:08 GMT) Full text and rfc822 format available.

Message #10 received at 621866@bugs.debian.org (full text, mbox):

From: Arne Wichmann <aw@anhrefn.saar.de>
To: 621866@bugs.debian.org
Subject: Ping
Date: Thu, 25 Aug 2011 12:08:26 +0200
[Message part 1 (text/plain, inline)]
Hi,

This grave Bug is now open for more than 4 months. Is there anythind
happening to fix it?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#621866; Package rsync. (Wed, 05 Oct 2011 14:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>. (Wed, 05 Oct 2011 14:45:03 GMT) Full text and rfc822 format available.

Message #15 received at 621866@bugs.debian.org (full text, mbox):

From: Arne Wichmann <aw@anhrefn.saar.de>
To: 621866@bugs.debian.org
Subject: Bug fixed in unstable/testung/experimental
Date: Wed, 5 Oct 2011 16:35:30 +0200
[Message part 1 (text/plain, inline)]
As far as I can see, this bug is fixed in testing (and anything newer):

/usr/share/doc/rsync/changelog.gz:

[...]
    - Fixed a data-corruption issue when preserving hard-links without
      preserving file ownership, and doing deletions either before or during
      the transfer (CVE-2011-1097).  This fixes some assert errors in the
      hard-linking code, and some potential failed checksums (via -c) that
      should have matched.
[...]

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[signature.asc (application/pgp-signature, inline)]

Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Sat, 03 Dec 2011 11:33:12 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sat, 03 Dec 2011 11:33:16 GMT) Full text and rfc822 format available.

Message #20 received at 621866-done@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: Arne Wichmann <aw@anhrefn.saar.de>, 621866-done@bugs.debian.org
Subject: Re: Bug#621866: Bug fixed in unstable/testung/experimental
Date: Sat, 3 Dec 2011 12:28:32 +0100
Version: 3.0.8-1

Hi!

* Arne Wichmann <aw@anhrefn.saar.de> [111005 16:35]:
> As far as I can see, this bug is fixed in testing (and anything newer):
> 
> /usr/share/doc/rsync/changelog.gz:
> 
> [...]
>     - Fixed a data-corruption issue when preserving hard-links without
>       preserving file ownership, and doing deletions either before or during
>       the transfer (CVE-2011-1097).  This fixes some assert errors in the
>       hard-linking code, and some potential failed checksums (via -c) that
>       should have matched.
> [...]

Yes, I checked the source, that's fixed for testing and higher, so I
versioned close this bug.  It's still open for stable, though.


Best Regards,
  Alexander




Marked as found in versions rsync/3.0.7-2. Request was from Arne Wichmann <aw@anhrefn.saar.de> to control@bugs.debian.org. (Sat, 12 May 2012 16:15:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#621866; Package rsync. (Tue, 21 Aug 2012 12:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>. (Tue, 21 Aug 2012 12:00:04 GMT) Full text and rfc822 format available.

Message #27 received at 621866@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 621866@bugs.debian.org
Subject: Re: rsync: CVE-2011-1097 DoS and possibly code execution on client side
Date: Tue, 21 Aug 2012 11:15:02 -0000
Package: rsync

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/621866/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:10:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:36:21 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.