Debian Bug report logs -
#365614
rsync: Integer overflow in the receive_xattr function (remote exploit)
Reported by: Jay Kline <jay@ahpcrc.org>
Date: Mon, 1 May 2006 14:48:18 UTC
Severity: grave
Tags: security
Found in version rsync/2.6.4-6
Done: Paul Slootman <paul@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#365614; Package rsync.
(full text, mbox, link).
Acknowledgement sent to Jay Kline <jay@ahpcrc.org>:
New Bug report received and forwarded. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rsync
Version: 2.6.4-6
Severity: grave
Tags: security
Justification: user security hole
Integer overflow in the receive_xattr function in the extended
attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers
to execute arbitrary code via crafted extended attributes that trigger a
buffer overflow.
See http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2083 for more details.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages rsync depends on:
ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii libpopt0 1.7-5 lib for parsing cmdline parameters
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#365614; Package rsync.
(full text, mbox, link).
Acknowledgement sent to Paul Slootman <paul@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 365614@bugs.debian.org (full text, mbox, reply):
On Mon 01 May 2006, Jay Kline wrote:
> Package: rsync
> Version: 2.6.4-6
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> Integer overflow in the receive_xattr function in the extended
> attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers
> to execute arbitrary code via crafted extended attributes that trigger a
> buffer overflow.
Do you have reason to believe that Debian's rsync 2.6.4-6 has that patch
applied?
Paul Slootman
Reply sent to Paul Slootman <paul@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Jay Kline <jay@ahpcrc.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 365614-done@bugs.debian.org (full text, mbox, reply):
On Mon 01 May 2006, Jay Kline wrote:
> Paul Slootman wrote:
> > On Mon 01 May 2006, Jay Kline wrote:
> >
> >
> >>Package: rsync
> >>Version: 2.6.4-6
> >>Severity: grave
> >>Tags: security
> >>Justification: user security hole
> >>
> >>
> >>Integer overflow in the receive_xattr function in the extended
> >>attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers
> >>to execute arbitrary code via crafted extended attributes that trigger a
> >>buffer overflow.
> >
> >
> > Do you have reason to believe that Debian's rsync 2.6.4-6 has that patch
> > applied?
> >
>
> Sorry- my mistake. The way it was worded I thought upstream added that.
In fact, my research shows that the xattrs (optional, experimental!)
patch was first added in 2.6.7, so 2.6.4 can hardly be affected.
Thanks for your concern, but please take a moment to check the facts
before panicing :)
Paul Slootman
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Jun 2007 15:25:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:36:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon