Bug 54672 - (CVE-2004-0426) VUL-0: CVE-2004-0426: path sanitazion bug in rsync
VUL-0: CVE-2004-0426: path sanitazion bug in rsync
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
All Linux
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2004-0426: CVSS v2 Base Score: 5....
Depends on:
  Show dependency treegraph
Reported: 2004-04-30 17:12 UTC by Sebastian Krahmer
Modified: 2021-10-01 08:06 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2004-04-30 17:12:27 UTC
Date: Wed, 28 Apr 2004 18:25:10 -0700
From: Matt Zimmerman <mdz@debian.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0426 for rsync [coley@mitre.org: Re:
    [paul@debian.org: vulnerability in rsync]]

Candidate: CAN-2004-0426
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
Assigned: 20040429
Category: SF
Reference: CONFIRM:http://rsync.samba.org/

rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allows remote attackers to

write files outside of the module's path.

 - mdz
Vendor Security mailing list
Comment 1 Sebastian Krahmer 2004-04-30 17:12:27 UTC
<!-- SBZ_reproduce  -->
This probably affects us. Can you have a look?
Comment 2 Ruediger Oertel 2004-04-30 17:46:40 UTC
pretty sure does ... 
Comment 3 Ruediger Oertel 2004-04-30 18:20:53 UTC
does anyone already have a patch ? 
2.6.0-2.6.1 has 23k lines of diff (added patches excluded) 
and just looking for "sanitize_path" you'll get matches all over 
the place :( 
Comment 4 Sebastian Krahmer 2004-05-03 17:37:17 UTC
It seems that it has to be applied then. Their fix is a gz-ball,
but since rsync handles pathnames all over the place it makes
sence that there are a lot of matches. Does it apply to older
versions as well?
Comment 5 Ruediger Oertel 2004-05-03 19:47:52 UTC
The diff between 2.6.0 and 2.6.1 has other changes as well, mangled with 
this fix, the NEWS file for 2.6.0->2.6.1 has 190 lines. 
I really doubt this will apply cleanly to older versions. 
Then: I'm on vacation this week, how urgent is this story ? 
Next: 2.6.2 is already released, fixing a bug introduced in 2.6.1 ... 
Citing the advisory: 
April 2004 Security Advisory 
There is a security problem in all versions prior to 2.6.1 that affects only 
people running a read/write daemon WITHOUT using chroot. 
I don't know if we should not just advise people to set the chroot option 
in their config file. 
Comment 6 Sebastian Krahmer 2004-05-03 19:51:39 UTC
Well, that is something they should do, but I think we need
fixes nevertheless. Just, since it is not too urgent, it
could be done after your vacation.
Comment 7 Ruediger Oertel 2004-05-11 18:38:15 UTC
after playing with the sources a bit and checking that rsync is 
a leaf package, I think we'll go for a version update. 
packages prepared for: SLES7 (aka 7.2),SLES7-PPC (aka 7.3), 
8.0, SLES8 (aka 8.1), 8.2, 9.0, SLES9 (aka 9.1) 
updated packages installed all over the autobuild servers. 
reassigning to sec-team for tracking. 
Comment 8 Sebastian Krahmer 2004-05-19 20:06:20 UTC
QA rejected last packages, new ones have been submitted (IPv6 issue).
Comment 9 Sebastian Krahmer 2004-05-26 19:48:18 UTC
Approved and announced in SuSE-SA:2004:014
Comment 10 Thomas Biege 2009-10-13 20:21:15 UTC
CVE-2004-0426: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)