rsync: CVE-2007-6199, CVE-2007-6200 insecure handling of temporary files

Debian Bug report logs - #453652
rsync: CVE-2007-6199, CVE-2007-6200 insecure handling of temporary files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 12:55:09 +0100

[Message part 1 (text/plain, inline)]

Package: rsync
Version: 2.6.3-1
Severity: important
Tags: patch security

Hi,
the new rsync upstream release fixes two security bugs which 
can be exploited via a symlink attack.
"1. Daemon advisory for "use chroot = no"

If you are running a writable rsync daemon with "use chroot = no", there is at least one way for someone to trick rsync into creating a symlink that points outside of the module's hierarchy. 

This means that if you are allowing access from users who you don't trust, that you should either figure out a way to turn on "use chroot", or configure the daemon to refuse the --links option (see "refuse options" in the rsyncd.conf manpage) which will disable the ability of the rsync module to receive symlinks. After doing so, you should also check that any existing symlinks in the daemon hierarchy are safe. 

Starting with the 3.0.0-pre6 release, there is a new daemon option available: "munge symlinks". This allows an rsync daemon to accept symlinks and return them intact (with even a leading slash still there, which is new for a non-chroot daemon), but will not allow the symlinks to be used while they are in the daemon's hierarchy. For those running 2.6.9, there is a patch to implement this option. 

Any admin applying that patch should read the "munge symlinks" section of the modified rsyncd.conf manpage for more information. You can also read about this option in the rsyncd.conf manpage from the 3.0.0pre6 release. 
2. Daemon advisory for daemon excludes

If you are running a writable rsync daemon that is using one of the "exclude", "exclude from", or "filter" options in the rsyncd.conf file to hide data from your users, you should be aware that there are tricks that a user can play with symlinks and/or certain options that can allow a user that knows the name of a hidden file to access it or overwrite it (if file permissions allow that). 

You can avoid the symlink problem using the suggestions in the advisory above. 

You can avoid the problems with other options by putting the following "refuse options" setting into your rsyncd.conf file: 
refuse options = --*-dest --partial-dir --backup-dir

An upcoming release of rsync 3.0.0 will hopefully fix the daemon-exclude validation of these options to make this unnecessary, but this has not yet been implemented. 

If you combine the above refuse options with the prior suggestion to refuse --links, that would give you this list of options (included here for easier copy/pasting): 
refuse options = --links --*-dest --partial-dir --backup-dir"

See: http://rsync.samba.org/security.html#s3_0_0

A patch can be found on:
http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff

A CVE id for this issue is currently pending, I will add it to the bug report.
If you fix the package after I got it please include the CVE id in the changelog
then.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453652@bugs.debian.org

Subject: Re: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 14:06:24 +0100

[Message part 1 (text/plain, inline)]

Hi,
attached is an NMU proposal to fix this bug just in case you 
have no time to fix this.

For this I needed to backport the patch cause it won't apply 
with the version in Debian.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/rsync-2.6.4-6_2.6.4-6.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[rsync-2.6.4-6_2.6.4-6.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #17 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Paul Slootman <paul@debian.org>

To: Nico Golde <nion@debian.org>, 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 14:18:28 +0100

On Fri 30 Nov 2007, Nico Golde wrote:

> attached is an NMU proposal to fix this bug just in case you 
> have no time to fix this.

Is this based on upstream's patch?

> For this I needed to backport the patch cause it won't apply 
> with the version in Debian.

There is a patch available for 2.6.9 (2.6.9-2etch4 is the current stable
version).

2.6.4 is "oldstable". I think first priority is the stable version...


thanks,
Paul Slootman

Message #22 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 16:15:04 +0100

[Message part 1 (text/plain, inline)]

Hi Paul,
sorry for the fuckup in the paste of the vulnerability, just 
saw it in the BTS that its unformatted.

* Paul Slootman <paul@debian.org> [2007-11-30 14:42]:
> On Fri 30 Nov 2007, Nico Golde wrote:
> 
> > attached is an NMU proposal to fix this bug just in case you 
> > have no time to fix this.
> 
> Is this based on upstream's patch?

Yes.

> > For this I needed to backport the patch cause it won't apply 
> > with the version in Debian.
> 
> There is a patch available for 2.6.9 (2.6.9-2etch4 is the current stable
> version).

http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff 
if you mean this patch this at least does not apply to the 
unstable version thats why I ported it. I have not checked 
if this does apply to the stable version.

> 2.6.4 is "oldstable". I think first priority is the stable version...

Yes. As I am only in the testing security team and thus 
handling testing and unstable issues please contact 
team@security.debian.org to check if this is worth a DSA.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #27 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Paul Slootman <paul@debian.org>

To: Nico Golde <nion@debian.org>, 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 16:52:29 +0100

On Fri 30 Nov 2007, Nico Golde wrote:
> > 
> > There is a patch available for 2.6.9 (2.6.9-2etch4 is the current stable
> > version).
> 
> http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff 
> if you mean this patch this at least does not apply to the 
> unstable version thats why I ported it. I have not checked 
> if this does apply to the stable version.

Hmm, that patch should apply to both stable and testing...

> > 2.6.4 is "oldstable". I think first priority is the stable version...
> 
> Yes. As I am only in the testing security team and thus 
> handling testing and unstable issues please contact 
> team@security.debian.org to check if this is worth a DSA.

Well, then I'm even more surprised that the patch you pasted listed
2.6.4 as the version being patched?!


Paul Slootman

Message #32 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Paul Slootman <paul@debian.org>

Cc: 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 18:24:57 +0100

[Message part 1 (text/plain, inline)]

Hi Paul,
* Paul Slootman <paul@debian.org> [2007-11-30 16:53]:
> On Fri 30 Nov 2007, Nico Golde wrote:
> > > There is a patch available for 2.6.9 (2.6.9-2etch4 is the current stable
> > > version).
> > 
> > http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff 
> > if you mean this patch this at least does not apply to the 
> > unstable version thats why I ported it. I have not checked 
> > if this does apply to the stable version.
> 
> Hmm, that patch should apply to both stable and testing...
> 
> > > 2.6.4 is "oldstable". I think first priority is the stable version...
> > 
> > Yes. As I am only in the testing security team and thus 
> > handling testing and unstable issues please contact 
> > team@security.debian.org to check if this is worth a DSA.
> 
> Well, then I'm even more surprised that the patch you pasted listed
> 2.6.4 as the version being patched?!

Ah damnit, you are right. I had the oldstable version in my 
directory to check if this is vulnerable too and then wanted 
to build a patch. Somehow I was in the wrong directory so I 
ported this patch to the old stable version.
Ok, not too bad with this the stable guys will have a 
working patch :)

The upstream patch works with unstable and testing then 
apart from patching the manual:
Hunk #1 FAILED at 145.
Hunk #2 succeeded at 184 with fuzz 2.
1 out of 2 hunks FAILED -- saving rejects to file 
./rsyncd.conf.5.rej

Attached is a modified version of the patch which fixes 
this.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #37 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Paul Slootman <paul@debian.org>

Cc: 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Fri, 30 Nov 2007 18:27:17 +0100

[Message part 1 (text/plain, inline)]

Hi Paul,
pressed 'y' too fast so forgot the modified patch.
Here it is.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[munge-symlinks-new.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #42 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Paul Slootman <paul@debian.org>

Cc: 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Mon, 3 Dec 2007 15:46:00 +0100

[Message part 1 (text/plain, inline)]

Hi,
the following CVE ids were assigned to these 
vulnerabilities:
CVE-2007-6200[0]:
| Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable
| rsync daemon, allows remote attackers to bypass exclude, exclude_from, and
| filter and read or write hidden files via (1) symlink, (2) partial-dir, (3)
| backup-dir, and unspecified (4) dest options.

and
CVE-2007-6199[1]:
| rsync before 3.0.0pre6, when running a writable rsync daemon that is not using
| chroot, allows remote attackers to access restricted files via unknown vectors
| that cause rsync to create a symlink that points outside of the module's
| hierarchy.

Please mention those CVE ids in the changelog.

Do you need me to NMU this or are you going to upload now?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #49 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453652@bugs.debian.org

Subject: patch for NMU

Date: Mon, 3 Dec 2007 17:06:26 +0100

[Message part 1 (text/plain, inline)]

Hi,
attached is an updated patch for an NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/rsync-2.6.9-5_2.6.9-5.1.patch

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[rsync-2.6.9-5_2.6.9-5.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #54 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453652@bugs.debian.org

Subject: Re: patch for NMU

Date: Wed, 5 Dec 2007 20:51:34 +0100

[Message part 1 (text/plain, inline)]

Hi,
uploading with maintainers permission.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #59 received at 453652-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453652-close@bugs.debian.org

Subject: Bug#453652: fixed in rsync 2.6.9-5.1

Date: Wed, 05 Dec 2007 20:47:25 +0000

Source: rsync
Source-Version: 2.6.9-5.1

We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive:

rsync_2.6.9-5.1.diff.gz
  to pool/main/r/rsync/rsync_2.6.9-5.1.diff.gz
rsync_2.6.9-5.1.dsc
  to pool/main/r/rsync/rsync_2.6.9-5.1.dsc
rsync_2.6.9-5.1_i386.deb
  to pool/main/r/rsync/rsync_2.6.9-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 453652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated rsync package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 03 Dec 2007 17:00:37 +0100
Source: rsync
Binary: rsync
Architecture: source i386
Version: 2.6.9-5.1
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 rsync      - fast remote file copy program (like rcp)
Closes: 453652
Changes: 
 rsync (2.6.9-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by testing-security team.
   * This update addresses the following security issues (Closes: #453652):
     - When "use chroot" option is disabled, a programming error
       can be exploited by a user to trick rsync into creating a
       symlink that points outside the module's hierarchy.
     - A programming error within the "exclude", "exclude from" and "filter"
       options can be exploited via a symlink attack to gain access
       to hidden files if the filename is known.
Files: 
 28b881c85ed620afe5c103426fc49841 560 net optional rsync_2.6.9-5.1.dsc
 61ea40dae091ed44153bbaa5a7424145 43173 net optional rsync_2.6.9-5.1.diff.gz
 0b663b41fea99d27fe2c06a53783e0c8 258652 net optional rsync_2.6.9-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVwOQHYflSXNkfP8RAmhvAJ0ZH0nIwWCdM35g+A9j6ZWMlZLMNACdETh7
C5ig0ObWVRIMIMZhjm9pWFM=
=cTQF
-----END PGP SIGNATURE-----

Message #64 received at 453652@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Paul Slootman <paul@debian.org>

Cc: Nico Golde <nion@debian.org>, 453652@bugs.debian.org

Subject: Re: Bug#453652: rsync: prone to symlink attacks

Date: Tue, 1 Jan 2008 18:53:14 +0100

On Fri, Nov 30, 2007 at 02:18:28PM +0100, Paul Slootman wrote:
> On Fri 30 Nov 2007, Nico Golde wrote:
> 
> > attached is an NMU proposal to fix this bug just in case you 
> > have no time to fix this.
> 
> Is this based on upstream's patch?
> 
> > For this I needed to backport the patch cause it won't apply 
> > with the version in Debian.
> 
> There is a patch available for 2.6.9 (2.6.9-2etch4 is the current stable
> version).
> 
> 2.6.4 is "oldstable". I think first priority is the stable version...

I don't think the first part ("1. Daemon advisory for "use chroot = no")
needs to be fixed in Sarge or Etch. This essentially only adds an
additional feature to control symlink creation.

We should fix CVE-2007-6200, but there's not yet a patch AFAICS.

Cheers,
       Moritz

Send a report that this bug log contains spam.