Bug 16969 - rsync equivalient security issue to CVE-2014-8242 from librsync
Summary: rsync equivalient security issue to CVE-2014-8242 from librsync
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/637406/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Reported: 2015-10-15 21:00 CEST by David Walser
Modified: 2015-10-26 21:02 CET (History)
4 users (show)

See Also:
Source RPM: rsync-3.1.1-5.mga5.src.rpm
Status comment:


Description David Walser 2015-10-15 21:00:59 CEST
OpenSuSE has issued an advisory today (October 15):

Patched packages uploaded for Mageia 5 and Cauldron.


Updated rsync package fixes security vulnerability:

Michael Samuel discovered that rsync was vulnerable to checksum collisions.
This could prevent rsync from running and syncing files successfully, which
could break various applications that use and rely on rsync (rhbz#1197601).

The patched rsync will now operate in a way that is not vulnerable to this
issue as long as both the rsync client and rsync server support the new 'C'
option that has been added.  This issue is similar to an issue in librsync
which was fixed in MGASA-2015-0146.


from rsync-3.1.1-5.1.mga5.src.rpm


Steps to Reproduce:
Dave Hodgins 2015-10-15 22:10:07 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 1 Lewis Smith 2015-10-18 21:43:50 CEST
Testing Mag5 x64 real hardware: rsync-3.1.1-5.mga5

Used the release ISOs, for one particular ISO. *Note that between-release directory & file names must be adjusted between steps*. [I have a tool to do this for me. If you want to play this one - be ultra careful: the slightest local/remote name discrepancy will download entire files, rather than synchronising them].

- rsynced my local most recent [final] ISO directory with its equivalent on the server. It was (as expected) up-to date, so nothing happened; correct behaviour. Checksums OK.
- Copied the 'final' *.iso file to a different directory for future reference.
- rsynced the local 'final' ISO directory with the previous release [rc] on the server. It took about 17m with a speedup of 3.17. Checksums OK.
- rsynced the local 'rc' ISO directory with its server 'final' equivalent. It took about 17m with a speedup of 3.15. Checksums OK.
- As an extra check, 'cmp' the original saved 'final' *.iso file with its new local equivalent. No difference.

This was a very thorough test. Update OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 David Walser 2015-10-19 15:55:46 CEST
I tested it with old client and updated server, updated client and old server, and updated client and updated server, and all worked OK.  Mageia 5 i586.

Whiteboard: advisory MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 3 William Kenney 2015-10-25 15:17:46 CET
Validating this update

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 4 Mageia Robot 2015-10-25 15:39:06 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Comment 5 David Walser 2015-10-26 21:02:49 CET
LWN entry for the vulnerability in rsync:

Note You need to log in before you can comment on or make changes to this bug.