| <?xml version="1.0" encoding="utf-8"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="200408-17"> |
| <title>rsync: Potential information leakage</title> |
| <synopsis> |
| rsync fails to properly sanitize paths. This vulnerability could allow the |
| listing of arbitrary files and allow file overwriting outside module's path |
| on rsync server configurations that allow uploading. |
| </synopsis> |
| <product type="ebuild">rsync</product> |
| <announced>August 17, 2004</announced> |
| <revised>May 22, 2006: 02</revised> |
| <bug>60309</bug> |
| <access>remote</access> |
| <affected> |
| <package name="net-misc/rsync" auto="yes" arch="*"> |
| <unaffected range="ge">2.6.0-r3</unaffected> |
| <vulnerable range="le">2.6.0-r2</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| rsync is a utility that provides fast incremental file transfers. It is |
| used to efficiently synchronize files between hosts and is used by |
| emerge to fetch Gentoo's Portage tree. rsyncd is the rsync daemon, |
| which listens to connections from rsync clients. |
| </p> |
| </background> |
| <description> |
| <p> |
| The paths sent by the rsync client are not checked thoroughly enough. |
| It does not affect the normal send/receive filenames that specify what |
| files should be transferred. It does affect certain option paths that |
| cause auxilliary files to be read or written. |
| </p> |
| </description> |
| <impact type="normal"> |
| <p> |
| When rsyncd is used without chroot ("use chroot = false" in the |
| rsyncd.conf file), this vulnerability could allow the listing of |
| arbitrary files outside module's path and allow file overwriting |
| outside module's path on rsync server configurations that allows |
| uploading. Both possibilities are exposed only when chroot option is |
| disabled. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| You should never set the rsync daemon to run with "use chroot = false". |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All users should update to the latest version of the rsync package. |
| </p> |
| <code> |
| # emerge sync |
| |
| # emerge -pv ">=net-misc/rsync-2.6.0-r3" |
| # emerge ">=net-misc/rsync-2.6.0-r3"</code> |
| </resolution> |
| <references> |
| <uri link="http://samba.org/rsync/#security_aug04">rsync Advisory</uri> |
| <uri link="http://lists.samba.org/archive/rsync-announce/2004/000017.html">rsync 2.6.2 announcement</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0792">CVE-2004-0792</uri> |
| </references> |
| <metadata tag="submitter" timestamp="Sat, 14 Aug 2004 19:22:18 +0000"> |
| jaervosz |
| </metadata> |
| </glsa> |