Bug 54672 (CVE-2004-0426)

Summary: VUL-0: CVE-2004-0426: path sanitazion bug in rsync
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0426: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2004-04-30 17:12:27 UTC 
Date: Wed, 28 Apr 2004 18:25:10 -0700
From: Matt Zimmerman <mdz@debian.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0426 for rsync [coley@mitre.org: Re:
    [paul@debian.org: vulnerability in rsync]]

======================================================
Candidate: CAN-2004-0426
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040429
Category: SF
Reference: CONFIRM:http://rsync.samba.org/

rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allows remote attackers to

write files outside of the module's path.

-- 
 - mdz
_______________________________________________
Vendor Security mailing list
Comment 1 Sebastian Krahmer 2004-04-30 17:12:27 UTC 
<!-- SBZ_reproduce  -->
...
This probably affects us. Can you have a look?
Comment 2 Ruediger Oertel 2004-04-30 17:46:40 UTC 
pretty sure does ...
Comment 3 Ruediger Oertel 2004-04-30 18:20:53 UTC 
does anyone already have a patch ? 
2.6.0-2.6.1 has 23k lines of diff (added patches excluded) 
and just looking for "sanitize_path" you'll get matches all over 
the place :(
Comment 4 Sebastian Krahmer 2004-05-03 17:37:17 UTC 
It seems that it has to be applied then. Their fix is a gz-ball,
but since rsync handles pathnames all over the place it makes
sence that there are a lot of matches. Does it apply to older
versions as well?
Comment 5 Ruediger Oertel 2004-05-03 19:47:52 UTC 
The diff between 2.6.0 and 2.6.1 has other changes as well, mangled with 
this fix, the NEWS file for 2.6.0->2.6.1 has 190 lines. 
I really doubt this will apply cleanly to older versions. 
 
Then: I'm on vacation this week, how urgent is this story ? 
 
Next: 2.6.2 is already released, fixing a bug introduced in 2.6.1 ... 
 
Citing the advisory: 
April 2004 Security Advisory 
There is a security problem in all versions prior to 2.6.1 that affects only 
people running a read/write daemon WITHOUT using chroot. 
[...] 
 
I don't know if we should not just advise people to set the chroot option 
in their config file.
Comment 6 Sebastian Krahmer 2004-05-03 19:51:39 UTC 
Well, that is something they should do, but I think we need
fixes nevertheless. Just, since it is not too urgent, it
could be done after your vacation.
Comment 7 Ruediger Oertel 2004-05-11 18:38:15 UTC 
after playing with the sources a bit and checking that rsync is 
a leaf package, I think we'll go for a version update. 
 
packages prepared for: SLES7 (aka 7.2),SLES7-PPC (aka 7.3), 
8.0, SLES8 (aka 8.1), 8.2, 9.0, SLES9 (aka 9.1) 
 
updated packages installed all over the autobuild servers. 
 
reassigning to sec-team for tracking.
Comment 8 Sebastian Krahmer 2004-05-19 20:06:20 UTC 
QA rejected last packages, new ones have been submitted (IPv6 issue).
Comment 9 Sebastian Krahmer 2004-05-26 19:48:18 UTC 
Approved and announced in SuSE-SA:2004:014
Comment 10 Thomas Biege 2009-10-13 20:21:15 UTC 
CVE-2004-0426: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)