Bug 16969

Summary: rsync equivalient security issue to CVE-2014-8242 from librsync
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/637406/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: rsync-3.1.1-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-10-15 21:00:59 CEST 
OpenSuSE has issued an advisory today (October 15):
http://lists.opensuse.org/opensuse-updates/2015-10/msg00034.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated rsync package fixes security vulnerability:

Michael Samuel discovered that rsync was vulnerable to checksum collisions.
This could prevent rsync from running and syncing files successfully, which
could break various applications that use and rely on rsync (rhbz#1197601).

The patched rsync will now operate in a way that is not vulnerable to this
issue as long as both the rsync client and rsync server support the new 'C'
option that has been added.  This issue is similar to an issue in librsync
which was fixed in MGASA-2015-0146.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1197601#c4
http://advisories.mageia.org/MGASA-2015-0146.html
========================
rsync-3.1.1-5.1.mga5

from rsync-3.1.1-5.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Dave Hodgins 2015-10-15 22:10:07 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 1 Lewis Smith 2015-10-18 21:43:50 CEST 
Testing Mag5 x64 real hardware: rsync-3.1.1-5.mga5

Used the release ISOs, for one particular ISO. *Note that between-release directory & file names must be adjusted between steps*. [I have a tool to do this for me. If you want to play this one - be ultra careful: the slightest local/remote name discrepancy will download entire files, rather than synchronising them].

- rsynced my local most recent [final] ISO directory with its equivalent on the server. It was (as expected) up-to date, so nothing happened; correct behaviour. Checksums OK.
- Copied the 'final' *.iso file to a different directory for future reference.
- rsynced the local 'final' ISO directory with the previous release [rc] on the server. It took about 17m with a speedup of 3.17. Checksums OK.
- rsynced the local 'rc' ISO directory with its server 'final' equivalent. It took about 17m with a speedup of 3.15. Checksums OK.
- As an extra check, 'cmp' the original saved 'final' *.iso file with its new local equivalent. No difference.

This was a very thorough test. Update OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 David Walser 2015-10-19 15:55:46 CEST 
I tested it with old client and updated server, updated client and old server, and updated client and updated server, and all worked OK.  Mageia 5 i586.

Whiteboard: advisory MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 3 William Kenney 2015-10-25 15:17:46 CET 
Validating this update

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 4 Mageia Robot 2015-10-25 15:39:06 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0409.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2015-10-26 21:02:49 CET 
LWN entry for the vulnerability in rsync:
http://lwn.net/Vulnerabilities/662067/