rsync: CVE-2011-1097 DoS and possibly code execution on client side

Debian Bug report logs - #621866
rsync: CVE-2011-1097 DoS and possibly code execution on client side

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: rsync: CVE-2011-1097 DoS and possibly code execution on client side

Date: Sat, 9 Apr 2011 18:32:39 +0200

[Message part 1 (text/plain, inline)]

Package: rsync
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rsync.

CVE-2011-1097[0]:
| rsync 3.x before 3.0.8, when certain recursion, deletion, and
| ownership options are used, allows remote rsync servers to cause a
| denial of service (heap memory corruption and application crash) or
| possibly execute arbitrary code via malformed data.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

More info:
https://bugzilla.samba.org/show_bug.cgi?id=7936
http://gitweb.samba.org/?p=rsync.git;a=commitdiff;h=83b94efa6b60a3ff5eee4c5f7812c617a90a03f6;hp=c8255147b06b74dad940d32f9cef5fbe17595239

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1097
    http://security-tracker.debian.org/tracker/CVE-2011-1097

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 621866@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 621866@bugs.debian.org

Subject: Ping

Date: Thu, 25 Aug 2011 12:08:26 +0200

[Message part 1 (text/plain, inline)]

Hi,

This grave Bug is now open for more than 4 months. Is there anythind
happening to fix it?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 621866@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 621866@bugs.debian.org

Subject: Bug fixed in unstable/testung/experimental

Date: Wed, 5 Oct 2011 16:35:30 +0200

[Message part 1 (text/plain, inline)]

As far as I can see, this bug is fixed in testing (and anything newer):

/usr/share/doc/rsync/changelog.gz:

[...]
    - Fixed a data-corruption issue when preserving hard-links without
      preserving file ownership, and doing deletions either before or during
      the transfer (CVE-2011-1097).  This fixes some assert errors in the
      hard-linking code, and some potential failed checksums (via -c) that
      should have matched.
[...]

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 621866-done@bugs.debian.org (full text, mbox, reply):

From: Alexander Reichle-Schmehl <tolimar@debian.org>

To: Arne Wichmann <aw@anhrefn.saar.de>, 621866-done@bugs.debian.org

Subject: Re: Bug#621866: Bug fixed in unstable/testung/experimental

Date: Sat, 3 Dec 2011 12:28:32 +0100

Version: 3.0.8-1

Hi!

* Arne Wichmann <aw@anhrefn.saar.de> [111005 16:35]:
> As far as I can see, this bug is fixed in testing (and anything newer):
> 
> /usr/share/doc/rsync/changelog.gz:
> 
> [...]
>     - Fixed a data-corruption issue when preserving hard-links without
>       preserving file ownership, and doing deletions either before or during
>       the transfer (CVE-2011-1097).  This fixes some assert errors in the
>       hard-linking code, and some potential failed checksums (via -c) that
>       should have matched.
> [...]

Yes, I checked the source, that's fixed for testing and higher, so I
versioned close this bug.  It's still open for stable, though.


Best Regards,
  Alexander

Message #27 received at 621866@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 621866@bugs.debian.org

Subject: Re: rsync: CVE-2011-1097 DoS and possibly code execution on client side

Date: Tue, 21 Aug 2012 11:15:02 -0000

Package: rsync

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/621866/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.