Debian Bug report logs -
#887588
rsync: CVE-2018-5764
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 18 Jan 2018 09:21:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version rsync/3.1.2-1
Fixed in version rsync/3.1.2-2.2
Done: YunQiang Su <syq@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>:
Bug#887588; Package src:rsync.
(Thu, 18 Jan 2018 09:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>.
(Thu, 18 Jan 2018 09:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rsync
Version: 3.1.2-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for rsync.
CVE-2018-5764[0]:
| The parse_arguments function in options.c in rsyncd in rsync before
| 3.1.3 does not prevent multiple --protect-args uses, which allows
| remote attackers to bypass an argument-sanitization protection
| mechanism.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764
[1] https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=7706303828fcde524222babb2833864a4bd09e07
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to YunQiang Su <syq@debian.org>:
You have taken responsibility.
(Sat, 21 Jul 2018 14:51:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 21 Jul 2018 14:51:15 GMT) (full text, mbox, link).
Message #10 received at 887588-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.1.2-2.2
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887588@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
YunQiang Su <syq@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Jul 2018 21:44:31 +0800
Source: rsync
Binary: rsync
Architecture: source mips64el
Version: 3.1.2-2.2
Distribution: unstable
Urgency: medium
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: YunQiang Su <syq@debian.org>
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Closes: 866353 883048 887588 892968
Changes:
rsync (3.1.2-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Ignore --protect-args when already sent by client
(CVE-2018-5764) (Closes: #887588)
.
[Helmut Grohne]
* Fix Architecture field of cross built packages. (Closes: #866353)
.
[Aurelien Jarno]
* Update config.guess for new ports: mips*r6* and riscv64.
(Closes: #892968, #883048)
Checksums-Sha1:
d66d67ffe9408c569beaf6d229adbb944ecccfe4 1388 rsync_3.1.2-2.2.dsc
06135270cc023301669200aad939d14d73bf0759 35668 rsync_3.1.2-2.2.debian.tar.xz
4b3369c785f219ea8219c53af03c9279600458f1 3951 rsync_3.1.2-2.2_mips64el.buildinfo
98cb687a09e6fdc6fedf20bd387ca3e94eb8d430 389992 rsync_3.1.2-2.2_mips64el.deb
Checksums-Sha256:
5ac47dfa262cd3720bf6bdee5ccf2f9d1af8a83c04b9ac27b6e4f2b1918d33ef 1388 rsync_3.1.2-2.2.dsc
2e4c3a6cebb4bae803de7e7ab34e2184ce93a5484a5d9f7d0cd432b5fffd4995 35668 rsync_3.1.2-2.2.debian.tar.xz
ae421a9222d948eb5cf26755328f87b626b37bbdcc693d8c8e439484e31d3dc4 3951 rsync_3.1.2-2.2_mips64el.buildinfo
40339ffe148e3d8906430685bb902d6dca97ee5889f1a09bedba5efb33d17f7b 389992 rsync_3.1.2-2.2_mips64el.deb
Files:
f79a1b4b749710138dc816a5318833e9 1388 net optional rsync_3.1.2-2.2.dsc
afab4d22150c395117cba1238481e248 35668 net optional rsync_3.1.2-2.2.debian.tar.xz
821ceecda4463b2f2e25aeb8239f41a6 3951 net optional rsync_3.1.2-2.2_mips64el.buildinfo
aca93e3683b0e4928fd385441fc5a116 389992 net optional rsync_3.1.2-2.2_mips64el.deb
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEET3MbhxKET+7/a6zdW0gHVdEZ6o4FAltTQ4wPHHN5cUBkZWJp
YW4ub3JnAAoJEFtIB1XRGeqOT2cH/ij00KswPLPF3OZaEZl5ivckjSJUpqfPPzDZ
Or8zAYqSihLVrjwNJgHBBjhQx2OkfwIlofjsvQsk0aSXlR6nViH5mX3df+P7GYhD
agTsToVTIUH3c6Sz/23CIIqwcCcYPWBY/hbawYlRLiENxx7qmXu6dpIGNc05Au0m
YBXo+mFxVLBN2U876PHXnDpLeL0UPe7/ll3QcJSF6pggKv7k8JZdxc38IbwVKqgH
amWR9CqntR5Rs5E/KifYbSMI9Zu5g72Xq+axjqjCEtk6ZsgvqyHz0vhqS+Wd8GkW
WwcxLMstMlQM9bozcXPm5aQ3nw104zzQkXE9/52lFXga5xjABzo=
=jy7C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 24 Aug 2018 07:31:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:58:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon