| Summary: | rsync new security issues CVE-2017-17433 and CVE-2017-17434 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, marja11, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK | ||
| Source RPM: | rsync-3.1.2-1.mga6.src.rpm | CVE: | CVE-2017-17433, CVE-2017-17434 |
| Status comment: | |||
|
Description
David Walser
2017-12-09 21:21:58 CET
David Walser
2017-12-09 21:22:05 CET
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs Hi, The patches apply cleanly and the compilation succeeds but some tests that passed without the patches fail with them. What is the best solution: try to skip those failing tests or try to find in upstream code whether those tests have been updated to pass with the patches? Best regards, Nico. CC:
(none) =>
nicolas.salguero https://git.samba.org/?p=rsync.git;a=commit;h=f5e8a17e093065fb20fea00a29540fe2c7896441 contains the fix for the failing tests so I added it. Suggested advisory: ======================== The updated package fixes security vulnerabilities: The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions. (CVE-2017-17433) The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions. (CVE-2017-17434) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434 https://usn.ubuntu.com/usn/usn-3506-1/ ======================== Updated package in 5/core/updates_testing: ======================== rsync-3.1.1-5.2.mga5 from SRPMS: rsync-3.1.1-5.2.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== rsync-3.1.2-1.1.mga6 from SRPMS: rsync-3.1.2-1.1.mga6.src.rpm Status:
NEW =>
ASSIGNED Mageia release 6 (Official) for x86_64
4.9.56-desktop-1.mga6
Updated rsync.
Checked the list of available isos using a ruby version of Lewis' onecheck which uses commands of this form:
$ RSYNC_PASSWORD=\"#{pwd}\" rsync --list-only rsync://isoqa@bcd.mageia.org/isos/"
Selected a release and displayed the information on the server for a selected iso.
Ran my local synciso command to rsync the Live Xfce i586 iso.
This runs:
RSYNC_PASSWORD=\"#{pass}\" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/#{release}/#{name}/
$ synciso
receiving incremental file list
./
Mageia-6-LiveDVD-Xfce-i586-DVD.iso.md5.gpg
665 100% 649.41kB/s 0:00:00 (xfr#1, to-chk=9/14)
Mageia-6-LiveDVD-Xfce-i586-DVD.iso.sha1.gpg
673 100% 657.23kB/s 0:00:00 (xfr#2, to-chk=7/14)
Mageia-6-LiveDVD-Xfce-i586-DVD.iso.sha512.gpg
767 100% 749.02kB/s 0:00:00 (xfr#3, to-chk=5/14)
sent 112 bytes received 2,624 bytes 1,824.00 bytes/sec
total size is 1,984,052,071 speedup is 725,165.23
That looks fine for 64 bits.CC:
(none) =>
tarazed25 MGA5-32 on Dell Latitude D600 Xfce No installation issues Testing by transferring some files from my M6 desktop: $ rsync herman@mach1:/home/herman/Documents/airco/* . Password: Files have been transfered correctly. CC:
(none) =>
herman.viaene Mageia 6 :: x86_64 Updated rsync and tested local scripts which use rsync to the isoqa site. They functioned as expected. rsync on the local network ran fine. $ rsync --list-only lcl@vega:data/tv/ Password: drwxr-xr-x 4,096 2017/12/09 20:00:13 . -rw-r--r-- 15,260 2015/11/14 22:46:26 Channels -rw-r--r-- 19,688 2017/07/04 20:54:20 Channels.xspf .............................................. It works OK over the local network also. $ cd trimmers [lcl@markab trimmers]$ ll trimmers -rwxr--r-- 1 lcl lcl 47117 Jan 10 2017 trimmers* $ rsync lcl@belexeuli:trimmers/trimmers . Password: $ ll trimmers -rwxr--r-- 1 lcl lcl 49833 Dec 12 17:57 trimmers* Good for x86_64. Hmm. I seem to have done this one before. Whiteboard:
MGA5TOO MGA5-32-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK Mageia 5 :: x86_64 $ ll channels.xspf -rw-r--r-- 1 lcl lcl 0 Dec 12 18:04 channels.xspf Fine with local network operation after the update. $ ll channels.xspf -rw-r--r-- 1 lcl lcl 0 Dec 12 18:04 channels.xspf $ rsync lcl@vega:data/tv/channels.xspf . Password: $ ll channels.xspf -rw-r--r-- 1 lcl lcl 18963 Dec 12 18:22 channels.xspf Tried out servercheck and synciso. They worked fine on the WAN. Whiteboard:
MGA5TOO MGA5-32-OK MGA6-64-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK
Lewis Smith
2017-12-16 08:31:17 CET
CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0452.html Status:
ASSIGNED =>
RESOLVED |