rsync: CVE-2022-29154

Debian Bug report logs - #1016543
rsync: CVE-2022-29154

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: rsync: CVE-2022-29154

Date: Tue, 02 Aug 2022 19:20:40 +0200

Source: rsync
Version: 3.2.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for rsync.

CVE-2022-29154[0]:
| An issue was discovered in rsync before 3.2.5 that allows malicious
| remote servers to write arbitrary files inside the directories of
| connecting peers. The server chooses which files/directories are sent
| to the client. However, the rsync client performs insufficient
| validation of file names. A malicious rsync server (or Man-in-The-
| Middle attacker) can overwrite arbitrary files in the rsync client
| target directory and subdirectories (for example, overwrite the
| .ssh/authorized_keys file).

IMHO the issue does not warrant a DSA, but can be fixed at a point
release time. Note that apart the initial commit mentioned in the
oss-security post there were additional commits done upstream around
that.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-29154
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
[1] https://www.openwall.com/lists/oss-security/2022/08/02/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1016543@bugs.debian.org (full text, mbox, reply):

From: Samuel Henrique <samueloph@debian.org>

To: 1016543@bugs.debian.org

Subject: rsync: CVE-2022-29154

Date: Tue, 2 Aug 2022 21:30:07 +0100

Hello Salvatore, thanks for reporting this.

I've been following the discussions around this during the day and I
did notice there were multiple commits related to it indeed.

My take so far is that we should wait a bit before releasing the fix
on unstable, as there might be regressions in the fix itself. There
isn't even a proper release with the fix yet (only v3.2.5pre1). After
confirming that there's no regressions in 3.2.5, then we can consider
backporting it [0].

[0] That is, of course, just a suggestion, if someone from the
Security team is willing to do all the investigative work to look out
for regressions earlier, they're free to go ahead.

Thanks,

-- 
Samuel Henrique <samueloph>

Message #15 received at 1016543@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Samuel Henrique <samueloph@debian.org>, 1016543@bugs.debian.org

Subject: Re: Bug#1016543: rsync: CVE-2022-29154

Date: Tue, 2 Aug 2022 22:40:41 +0200

Hi Samuel,

On Tue, Aug 02, 2022 at 09:30:07PM +0100, Samuel Henrique wrote:
> Hello Salvatore, thanks for reporting this.
> 
> I've been following the discussions around this during the day and I
> did notice there were multiple commits related to it indeed.
> 
> My take so far is that we should wait a bit before releasing the fix
> on unstable, as there might be regressions in the fix itself. There
> isn't even a proper release with the fix yet (only v3.2.5pre1). After
> confirming that there's no regressions in 3.2.5, then we can consider
> backporting it [0].
> 
> [0] That is, of course, just a suggestion, if someone from the
> Security team is willing to do all the investigative work to look out
> for regressions earlier, they're free to go ahead.

I agree, let's wait for 3.2.5 even for unstable. The issue is not that
urgent and when rsync'ing from an untrusted server, as described, it's
safest to copy into a dedicated destination directory for the remote
content.

Regards,
Salvatore

Send a report that this bug log contains spam.