Debian Bug report logs -
#1016543
rsync: CVE-2022-29154
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Paul Slootman <paul@debian.org>
:
Bug#1016543
; Package src:rsync
.
(Tue, 02 Aug 2022 17:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Paul Slootman <paul@debian.org>
.
(Tue, 02 Aug 2022 17:21:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rsync
Version: 3.2.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for rsync.
CVE-2022-29154[0]:
| An issue was discovered in rsync before 3.2.5 that allows malicious
| remote servers to write arbitrary files inside the directories of
| connecting peers. The server chooses which files/directories are sent
| to the client. However, the rsync client performs insufficient
| validation of file names. A malicious rsync server (or Man-in-The-
| Middle attacker) can overwrite arbitrary files in the rsync client
| target directory and subdirectories (for example, overwrite the
| .ssh/authorized_keys file).
IMHO the issue does not warrant a DSA, but can be fixed at a point
release time. Note that apart the initial commit mentioned in the
oss-security post there were additional commits done upstream around
that.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
[1] https://www.openwall.com/lists/oss-security/2022/08/02/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>
:
Bug#1016543
; Package src:rsync
.
(Tue, 02 Aug 2022 20:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Samuel Henrique <samueloph@debian.org>
:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>
.
(Tue, 02 Aug 2022 20:33:02 GMT) (full text, mbox, link).
Message #10 received at 1016543@bugs.debian.org (full text, mbox, reply):
Hello Salvatore, thanks for reporting this.
I've been following the discussions around this during the day and I
did notice there were multiple commits related to it indeed.
My take so far is that we should wait a bit before releasing the fix
on unstable, as there might be regressions in the fix itself. There
isn't even a proper release with the fix yet (only v3.2.5pre1). After
confirming that there's no regressions in 3.2.5, then we can consider
backporting it [0].
[0] That is, of course, just a suggestion, if someone from the
Security team is willing to do all the investigative work to look out
for regressions earlier, they're free to go ahead.
Thanks,
--
Samuel Henrique <samueloph>
Information forwarded
to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>
:
Bug#1016543
; Package src:rsync
.
(Tue, 02 Aug 2022 20:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>
.
(Tue, 02 Aug 2022 20:45:02 GMT) (full text, mbox, link).
Message #15 received at 1016543@bugs.debian.org (full text, mbox, reply):
Hi Samuel,
On Tue, Aug 02, 2022 at 09:30:07PM +0100, Samuel Henrique wrote:
> Hello Salvatore, thanks for reporting this.
>
> I've been following the discussions around this during the day and I
> did notice there were multiple commits related to it indeed.
>
> My take so far is that we should wait a bit before releasing the fix
> on unstable, as there might be regressions in the fix itself. There
> isn't even a proper release with the fix yet (only v3.2.5pre1). After
> confirming that there's no regressions in 3.2.5, then we can consider
> backporting it [0].
>
> [0] That is, of course, just a suggestion, if someone from the
> Security team is willing to do all the investigative work to look out
> for regressions earlier, they're free to go ahead.
I agree, let's wait for 3.2.5 even for unstable. The issue is not that
urgent and when rsync'ing from an untrusted server, as described, it's
safest to copy into a dedicated destination directory for the remote
content.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Aug 3 13:17:58 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.