Bug 26254

Summary: rsync new security issues CVE-2016-984[0-3] (due to bundled zlib)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, lists.jjorge, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: rsync-3.1.3-4.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-02-25 14:31:05 CET 
Ubuntu has issued an advisory today (February 25):
https://usn.ubuntu.com/4292-1/

These issues were fixed in our zlib package in Bug 19529, but because rsync was changed to not use the system zlib in Bug 13669, rsync is still vulnerable.

Mageia 7 is also affected.
David Walser 2020-02-25 14:31:14 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-25 19:56:45 CET 
Assigning globally in the light of no evident packager for 'rsync'; CC Marc who committed the last significant change.

Assignee: bugsquad => pkg-bugs
CC: (none) => mageia

Comment 2 Marc Krämer 2020-02-25 21:11:51 CET 
if no one complains, I would change this back to use external zlib, which is now supported. If this breaks old arch packages, it is possible to disable compression. I think we should prefer security over compatibility (and version 3.1 is released for some time)
Comment 3 José Jorge 2020-02-25 21:34:53 CET 
(In reply to Marc Krämer from comment #2)
> if no one complains, I would change this back to use external zlib

Please do so, we have waited too long.

CC: (none) => lists.jjorge

Comment 4 Marc Krämer 2020-02-25 21:50:55 CET 
Updated rsync packages fix security vulnerabilities:
It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. [1,2]

It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. [3]

It was discovered that rsync incorrectly handled vectors involving big-endian CRC calculation in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. [4]

Please note, we now compile against system zlib. If rsync fails to sync with older remote systems using compression (-z), you have either update the remote host to a newer version or disable compression.


References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
========================

Updated packages in core/updates_testing:
========================
rsync-3.1.3-4.mga7
rsync-debugsource-3.1.3-4.mga7
rsync-debuginfo-3.1.3-4.mga7

SRPM:
rsync-3.1.3-4.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 Herman Viaene 2020-02-28 11:20:05 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Used rsync to transfer a bunch of folders and documents from my desktop in the LAN to this laptop: all OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2020-02-28 17:49:25 CET 
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-29 13:58:42 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2020-02-29 14:43:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0108.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED