Bug 22216

Summary: rsync new security issue CVE-2017-16548
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: rsync-3.1.2-1.1.mga6.src.rpm CVE: CVE-2017-16548
Status comment:

Description David Walser 2017-12-18 14:52:47 CET 
Debian has issued an advisory on December 17:
https://www.debian.org/security/2017/dsa-4068

The Debian page about the CVE has a link to the upstream commit to fix it:
https://security-tracker.debian.org/tracker/CVE-2017-16548

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-18 14:53:06 CET

Severity: normal => critical
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-12-18 16:41:10 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2017-12-19 10:57:15 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. (CVE-2017-16548)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548
https://www.debian.org/security/2017/dsa-4068
========================

Updated package in 5/core/updates_testing:
========================
rsync-3.1.1-5.3.mga5

from SRPMS:
rsync-3.1.1-5.3.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
rsync-3.1.2-1.2.mga6

from SRPMS:
rsync-3.1.2-1.2.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2017-16548
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 3 Len Lawrence 2017-12-20 22:39:43 CET 
Mageia 5 :: x86_64
Updated the package.
Used rsync to copy a text file from one machine to another on the LAN.
Edited the file then moved to the other machine and synchronized a copy of the original file with the remote file and then used diff to show the differences between the original and the rsynced file.  All in order.

Changed directory to the Mageia-6-LiveDVD-Xfce-i586-DVD directory and ran the command:
$ RSYNC_PASSWORD="<password>" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/mageia6/Mageia-6-LiveDVD-Xfce-i586-DVD/ .
receiving incremental file list

sent 20 bytes  received 379 bytes  266.00 bytes/sec
total size is 1,984,052,071  speedup is 4,972,561.58

which is expected.

This is fine for mga5::x86_64.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Len Lawrence 2017-12-21 08:29:39 CET 
Mageia 6 :: x86_64

Installed the update and ran similar tests to those in comment 3 using rsync to download remote files, overwrite local files and synchronize a Mageia iso.
No regressions.
Passing this for mga6 on 64-bit architecture.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 5 Lewis Smith 2017-12-21 13:24:06 CET 
Thanks Len for both your rapid tests. Validating + advisory.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-12-21 18:44:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0459.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED