Bug 13214 - rsync new security issue CVE-2014-2855
Summary: rsync new security issue CVE-2014-2855
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/595446/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-15 19:06 CEST by David Walser
Modified: 2015-02-15 16:57 CET (History)
4 users (show)

See Also:
Source RPM: rsync-3.1.0-4.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-15 19:06:20 CEST
A CVE has been allocated for a DoS issue fixed upstream in rsync:
http://openwall.com/lists/oss-security/2014/04/15/1

Patched packages uploaded for Mageia 4 and Cauldron.

Mageia 3 is not affected as only rsync version 3.1.0 is vulnerable.

Advisory:
========================

Updated rsync package fixes security vulnerability:

Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue
when attempting to authenticate using a nonexistent username. A remote
attacker could use this flaw to cause a denial of service via CPU consumption
(CVE-2014-2855).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2855
http://openwall.com/lists/oss-security/2014/04/15/1
========================

Updated packages in core/updates_testing:
========================
rsync-3.1.0-4.2.mga4

from rsync-3.1.0-4.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Daniel Napora 2014-04-16 14:10:31 CEST
Tested on mga4  32 and 64bit.

CC: (none) => napcok
Whiteboard: (none) => mga4-64-ok mga4-32-ok

Comment 2 claire robinson 2014-04-16 15:20:02 CEST
Thanks Daniel

Advisory uploaded. Validating.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-64-ok mga4-32-ok => advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 3 Thomas Backlund 2014-04-17 22:35:52 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0179.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-04-18 18:15:14 CEST

URL: (none) => http://lwn.net/Vulnerabilities/595446/

Comment 4 David Walser 2015-02-10 17:03:47 CET
Not fixed, due to improper usage of the setup macro, re-extracting the tarball after the patches were applied.

Fixed package uploaded for Mageia 4.

Advisory:
========================

Updated rsync package fixes security vulnerability:

Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue
when attempting to authenticate using a nonexistent username. A remote
attacker could use this flaw to cause a denial of service via CPU consumption
(CVE-2014-2855).

The previous update for this issue in MGASA-2014-0179 failed to properly apply
the needed patch, so the package has been rebuilt to address this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2855
http://openwall.com/lists/oss-security/2014/04/15/1
http://advisories.mageia.org/MGASA-2014-0179.html
========================

Updated packages in core/updates_testing:
========================
rsync-3.1.0-4.3.mga4

from rsync-3.1.0-4.3.mga4.src.rpm

Keywords: validated_update => (none)
Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Whiteboard: advisory mga4-64-ok mga4-32-ok => (none)

Comment 5 David Walser 2015-02-11 22:56:48 CET
I've used rsync to update my local Mageia 4 mirror at work with the newest updates pushed today.  I also run an rsync server on that machine, and I re-synced the local copy of the Mageia 4 mirror on my workstation from that, so I've tested the client and server parts of rsync and it worked fine.  I haven't tested authentication.  I'm using Mageia 4 i586.
Comment 6 olivier charles 2015-02-12 00:16:29 CET
Testing on Mageia 4x64 real hardware,

rsync-3.1.0-4.3.mga4.x86_64

Used testing package of rsync to resync mageia5 beta3 to round 4.

No problems encountered.

CC: (none) => olchal

Comment 7 claire robinson 2015-02-13 14:22:30 CET
Testing complete mga4 32 & 64

Configured server with authentication..

man rsynd.conf gives details but googled for examples.


# cat /etc/rsyncd.conf
 use chroot = yes
 max connections = 4
 pid file = /var/run/rsyncd.pid
 exclude = lost+found/
 transfer logging = yes
 timeout = 900
 ignore nonreadable = yes
 dont compress   = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2

[pub]
        path = /some/path/to/serve
        auth users = qatest
        secrets file = /etc/rsyncsecrets


# cat /etc/rsyncsecrets 
qatest:somepassword

the secrets file has to be restricted access..

# chmod 600 /etc/rsyncsecrets

# systemctl start rsyncd.service

# systemctl status rsyncd.service   
rsyncd.service - fast remote file copy program daemon
   Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled)
   Active: active (running) since Fri 2015-02-13 13:14:24 GMT; 4s ago
 Main PID: 10651 (rsync)
   CGroup: /system.slice/rsyncd.service
           ââ10651 /usr/bin/rsync --daemon --no-detach


Then accessed the server to sync the directory being served to a test directory.

$ cd test
$ RSYNC_PASSWORD="somepassword" rsync -avHP rsync://qatest@localhost/pub/ .
receiving incremental file list

...etc

sent 360 bytes  received 543,890 bytes  1,088,500.00 bytes/sec
total size is 542,544  speedup is 1.00

# systemctl stop rsyncd.service

Whiteboard: (none) => mga4-32-ok mga4-64-ok

Comment 8 claire robinson 2015-02-13 19:20:03 CET
Validating.

Advisory updated. Previous ID removed.

This one requires manual push/email please.

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

Comment 9 Mageia Robot 2015-02-15 16:57:50 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0065.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.