Bug 30696

Summary: rsync new security issue CVE-2022-29154
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: rsync-3.2.2-2.mga8.src.rpm CVE: CVE-2022-29154
Status comment:

Description David Walser 2022-08-03 00:45:20 CEST 
A security issue in rsync has been announced today (August 2):
https://seclists.org/oss-sec/2022/q3/77

The issue will be fixed in 3.2.5.

Mageia 8 is also affected.
David Walser 2022-08-03 00:45:26 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-08-03 01:20:41 CEST 
openwall version of the URL:
https://www.openwall.com/lists/oss-security/2022/08/02/1
Comment 2 Lewis Smith 2022-08-03 21:36:17 CEST 
Obliged to assign this globally, no one packager in evidence.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2022-08-17 18:59:51 CEST 
openSUSE has issued an advisory for this on August 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OZDMOCCGHF4NPIRQFQC2LBFH6YXI6QMU/

Stig-Ørjan has updated Cauldron to 3.2.5.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: (none) => Fixed upstream in 3.2.5
CC: (none) => smelror

Comment 4 Nicolas Salguero 2022-08-22 16:46:24 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
https://seclists.org/oss-sec/2022/q3/77
https://www.openwall.com/lists/oss-security/2022/08/02/1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OZDMOCCGHF4NPIRQFQC2LBFH6YXI6QMU/
========================

Updated package in core/updates_testing:
========================
rsync-3.2.2-2.1.mga8

from SRPM:
rsync-3.2.2-2.1.mga8.src.rpm

Source RPM: rsync-3.2.4-1.mga9.src.rpm => rsync-3.2.2-2.mga8.src.rpm
CVE: (none) => CVE-2022-29154
Status comment: Fixed upstream in 3.2.5 => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 5 Thomas Andrews 2022-08-23 17:56:50 CEST 
No installation issues.

Tested with Qarepo set to use an "rsync" mirror for downloading. Downloaded core versions of a package for testing, then after the test downloaded tainted versions. No issues noted.

Giving this an OK, and validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-08-24 22:41:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-25 23:23:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0302.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED