Debian Bug report logs -
#883667
rsync: CVE-2017-17433
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 6 Dec 2017 10:03:05 UTC
Severity: important
Tags: patch, security, upstream
Found in versions rsync/3.1.1-1, rsync/3.1.2-2
Fixed in versions rsync/3.1.2-2.1, rsync/3.1.2-1+deb9u1, rsync/3.1.1-3+deb8u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>:
Bug#883667; Package src:rsync.
(Wed, 06 Dec 2017 10:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>.
(Wed, 06 Dec 2017 10:03:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rsync
Version: 3.1.2-2
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for rsync.
CVE-2017-17433[0]:
| The recv_files function in receiver.c in the daemon in rsync 3.1.2, and
| 3.1.3-development before 2017-12-03, proceeds with certain file
| metadata updates before checking for a filename in the
| daemon_filter_list data structure, which allows remote attackers to
| bypass intended access restrictions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433
[1] https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions rsync/3.1.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 13 Dec 2017 06:36:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 880954-submit@bugs.debian.org.
(Thu, 14 Dec 2017 10:03:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#883667; Package src:rsync.
(Thu, 14 Dec 2017 10:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(Thu, 14 Dec 2017 10:03:09 GMT) (full text, mbox, link).
Message #14 received at 883667@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 880954 + pending
Control: tags 883665 + pending
Control: tags 883667 + pending
Hi Paul,
I've prepared an NMU for rsync (versioned as 3.1.2-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[rsync-3.1.2-2.1-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 14 Dec 2017 11:24:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Dec 2017 11:24:07 GMT) (full text, mbox, link).
Message #19 received at 883667-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.1.2-2.1
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Dec 2017 07:34:49 +0100
Source: rsync
Binary: rsync
Architecture: source
Version: 3.1.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 880954 883665 883667
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Changes:
rsync (3.1.2-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Enforce trailing \0 when receiving xattr name values (CVE-2017-16548)
(Closes: #880954)
* Check fname in recv_files sooner (CVE-2017-17433) (Closes: #883667)
* Sanitize xname in read_ndx_and_attrs (CVE-2017-17434) (Closes: #883665)
* Check daemon filter against fnamecmp in recv_files() (CVE-2017-17434)
(Closes: #883665)
Checksums-Sha1:
81a3092612943efbff0b8d78dfbe1821821a5b73 1853 rsync_3.1.2-2.1.dsc
3e10704a64f190ecf346b29e8005be3b84b80894 35172 rsync_3.1.2-2.1.debian.tar.xz
Checksums-Sha256:
0e62f46a991624707b10e4147ed6f873b694cdb4c58a4838d4f82d8b89ad81eb 1853 rsync_3.1.2-2.1.dsc
589213bd77aecb51ee39501d65a9f2b3efb6c349aa73ec912259d52702ae2b97 35172 rsync_3.1.2-2.1.debian.tar.xz
Files:
66386c72811fb67987b471601b1b7b12 1853 net optional rsync_3.1.2-2.1.dsc
3f0c3af6c4f00f500e0954f81c0f08c8 35172 net optional rsync_3.1.2-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlowym1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EufwP/iBBF6HBtNd25nYiBcq6biepXkNufLF1
Z0ob3aqsJhkqeSv+EEqRaC2qogcyAEVzhJYzgANjwDbJzutx7QVKzAbdmnxV2Q67
sjFH/xofig1jdihi98To3oqmbd+cpJk6Nl6AgoxAfdKks9j04SUDYKg6KF9XH2SX
lIExeJ37p1IR2BkPJlq75890iEXXH6sm8gbeA2Sc897Pw7b+MLNWYVuoxjG/GfHd
DStSRRdKjsH4++NwWLBVTPVF//VELMqw2ymEfl2rGdCc9VXute6dpNtIbNlFkNmP
LykCdLtvV/HTd6JHrdvTIRltQChiT9dhoo74mjq8ohYXwxcGum1HbVdzAibm7b5z
h0gyjCJ7tDjIG4VewX1i794i9w7L3dJh6qVLvha91A5oQk+2KVNUDjCnijSePac2
OPfQtF1DQWb2lzZc6ULf0qubpbEzkUdABt1ncD72QrSyhyAeh4krHzrUmnKwYKMW
4ScJ9EkaiBsJfmLy7KHqVI1fIn9/9KeXX8N6LiKQbLWu7hgaNKro3oiF/euzEZlN
3cJpWm+tyJrNCkKPgq1r7an+U1TWc0/rZXrucmvCXjJMlZtGujZtApbCCKCVdxIa
vUfFxRvaCKGCM31D8Qua2IzMWhJGFDq7yPFjNNm7bv5zANBcBkoL05wslYfuo/kF
HdSsfXA0CvWa
=WU8f
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 24 Dec 2017 13:09:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Dec 2017 13:09:11 GMT) (full text, mbox, link).
Message #24 received at 883667-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.1.2-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Dec 2017 13:57:17 +0100
Source: rsync
Binary: rsync
Architecture: source
Version: 3.1.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 880954 883665 883667
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Changes:
rsync (3.1.2-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Enforce trailing \0 when receiving xattr name values (CVE-2017-16548)
(Closes: #880954)
* Check fname in recv_files sooner (CVE-2017-17433) (Closes: #883667)
* Sanitize xname in read_ndx_and_attrs (CVE-2017-17434) (Closes: #883665)
* Check daemon filter against fnamecmp in recv_files() (CVE-2017-17434)
(Closes: #883665)
Checksums-Sha1:
a0c39bbd695204fc488e4b79f8200c50fdd23a5a 1873 rsync_3.1.2-1+deb9u1.dsc
0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a 892724 rsync_3.1.2.orig.tar.gz
59c8d07b61c8c9ad5e53f2935d71cc234e436eff 27796 rsync_3.1.2-1+deb9u1.debian.tar.xz
Checksums-Sha256:
991696d7997fc545ddbb784a315b21c252133368caefdb5efea460d4c4161050 1873 rsync_3.1.2-1+deb9u1.dsc
ecfa62a7fa3c4c18b9eccd8c16eaddee4bd308a76ea50b5c02a5840f09c0a1c2 892724 rsync_3.1.2.orig.tar.gz
913fcaa83d9d2d9aa344b9ea30b4b8c38000ef54d0a5c8c112b7f110a88535b4 27796 rsync_3.1.2-1+deb9u1.debian.tar.xz
Files:
c2c1f52a67fcb06890b59d1d51319a80 1873 net optional rsync_3.1.2-1+deb9u1.dsc
0f758d7e000c0f7f7d3792610fad70cb 892724 net optional rsync_3.1.2.orig.tar.gz
b148f588d04ecf9df2e98baff3715781 27796 net optional rsync_3.1.2-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlotNe5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9xEP/RHpxW1YWbKLp/2cIgP/O+4dkKFeYzRe
rPIyeVlLwBuOg+ktIGRmS1hilcXfVSLY9y9+R908BqKyTess0bAHIf+lgXkBZ12r
WQQHFvhCiz5Dt+hp2gtzFctD/VGh0d87CL31Lal4wmNkXjaiE87PdK2/hwioEDor
D75TgpCzLuF79280oSowkpFYHealZbuv8vfEfp7kxV+x214L9/M4HOLbQLi1OGL+
7kewXzbVZSPUrZmr6pGm2HFzTXN4xEIK7HOBfQy8F6+MIy6IAHaivdnjy2eZnrF/
1jeeP+5ZZ+rLy8VqHILJV11vAk9+LNNSlR9O1Jkf+i8wZu0rZfy+4o/xrOOh7UmB
jmzv7unlzfnjWu+DCqXMmu+igNwFEADA/PJAIFgIMPCFDmK4cRSG463KF2WLewGR
1BAokmdVphe6fFfmYnaEIEuAiJMzXIAoVE1AKNu4R44VLldZ0zGccOsF/aZ8YsCk
nZ0OI4WaQdZn9zMdn07e9oceM094kRJR5SmzWxCbFh+lxkpkyh+JBksL8zKmOqZl
Zlt0cjcRzq3hlhs997Yw8DAgdMA8AySX6d0NM3lqtDQ4ZUmu7SR722lxXdZ0XnPs
3eFhZIOp2QWEvy0O34wFaPHZAv0ZEP4f5X3AmR083kdMAv263jhtuuYp1ojUvsKG
f2JnWCvblgDl
=Q4RN
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 25 Dec 2017 10:36:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Dec 2017 10:36:16 GMT) (full text, mbox, link).
Message #29 received at 883667-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.1.1-3+deb8u1
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Dec 2017 14:08:49 +0100
Source: rsync
Binary: rsync
Architecture: source
Version: 3.1.1-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 880954 883665 883667
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Changes:
rsync (3.1.1-3+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Enforce trailing \0 when receiving xattr name values (CVE-2017-16548)
(Closes: #880954)
* Check fname in recv_files sooner (CVE-2017-17433) (Closes: #883667)
* Sanitize xname in read_ndx_and_attrs (CVE-2017-17434) (Closes: #883665)
* Check daemon filter against fnamecmp in recv_files() (CVE-2017-17434)
(Closes: #883665)
Checksums-Sha1:
36aef3abc85ce55f994380f83c51a6e54b01872d 1873 rsync_3.1.1-3+deb8u1.dsc
c84faba04f721d393feccfa0476bfeed9b5b5250 890124 rsync_3.1.1.orig.tar.gz
076c9642d082013269046ec8c70a79c3f36125b1 23456 rsync_3.1.1-3+deb8u1.debian.tar.xz
Checksums-Sha256:
c7a26e1e02df66d25ced84be25058bb9f33427c11dec6bd0ede494236c582f51 1873 rsync_3.1.1-3+deb8u1.dsc
7de4364fcf5fe42f3bdb514417f1c40d10bbca896abe7e7f2c581c6ea08a2621 890124 rsync_3.1.1.orig.tar.gz
1d1d20db2ed8fca8c9c9a3a46b099b6ac75a354e8e380eed6e284824f072f935 23456 rsync_3.1.1-3+deb8u1.debian.tar.xz
Files:
4fda47312f2460dc33eb599e1b8ba253 1873 net optional rsync_3.1.1-3+deb8u1.dsc
43bd6676f0b404326eee2d63be3cdcfe 890124 net optional rsync_3.1.1.orig.tar.gz
7472c784b2976ce997ee8d668c58f9f1 23456 net optional rsync_3.1.1-3+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlotNnRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EaB4QAKH6lyCH5t435EG+uTwx+ATdgYXkA3dH
pL93YbH8gXPsaXYWKdvWRvGDruMaifeVd7wLe6u4ExHDbZg1zgNBBetlwVZXfjan
l6oBu2GM4XsmK4FJmkDDNahdeu1gOxew+nvZB4DKlXXVMKY74WbNt7vCqm8gmEcG
r6FGIzOnpoE4vo6f5zB2K5OhVNSY+RMWA1BA1krW9PkPRgaqwMhus/4qeAi7xLhF
Aw9zzaLirvS37RjytS9Zbj7QD4Gh9k3v7q45YNGgRmMc2j12q/T4YbL6owVIgMdO
vkEZ8SaW4lIj2FD0CXkM0pfTnsqOrtZVE2SIoOZDaG9NeYFDXl8vYFfxKC4gutOQ
x7FXAVnaOBY5JosVcBLH1qnLeI71ahoXJukjEdMeXcSezdCznWm7L97ttZZ3m3VN
FjLAlAK0VTSA84sJ5Sxq2y4HuZA1pU8F5iB3KzMyPrKzmJzNfKlu8IplNfYyWz28
cAec80JE8y7e71FD/tJPT0pqVjx+Y1x0voB+S8x6pLVKY+BR6AiMDnKNm/g3b5EH
ND+XOlxWEbMNGEIXrZ7hx5kouk6s3FMx6ZYDZR3oezkQjXRMuYvHFPaWvto1O3pi
WbxVKHVD0/6YT2AG2ZPBD66atIj1y+GO3Pgj57Qt10KzNMvErJGNQJrKa5k3zhxC
MvafHuikUCLP
=kBYW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 23 Jan 2018 07:27:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:54:02 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon