Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-1360-1 rsync -- buffer overflow

Related Vulnerabilities: CVE-2007-4091  

Sebastian Krahmer discovered that rsync, a fast remote file copy program, contains an off-by-one error which might allow remote attackers to execute arbitrary code via long directory names. For the old stable distribution (sarge), this problem is not present. For the stable distribution (etch), this problem has been fixed in version 2.6.9-2etch1. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your rsync package.

Source

Debian Security Advisory

DSA-1360-1 rsync -- buffer overflow

Date Reported:
28 Aug 2007
Affected Packages:
rsync
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2007-4091.
More information:

Sebastian Krahmer discovered that rsync, a fast remote file copy program, contains an off-by-one error which might allow remote attackers to execute arbitrary code via long directory names.

For the old stable distribution (sarge), this problem is not present.

For the stable distribution (etch), this problem has been fixed in version 2.6.9-2etch4.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your rsync package.

Fixed in:

Debian GNU/Linux 4.0 alias etch

Source:
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9.orig.tar.gz
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4.dsc
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4.diff.gz
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_alpha.deb
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_amd64.deb
arm architecture (ARM)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_arm.deb
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_hppa.deb
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_i386.deb
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_ia64.deb
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_mips.deb
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_mipsel.deb
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_s390.deb
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started