16969 – rsync equivalient security issue to CVE-2014-8242 from librsync

Bug 16969 - rsync equivalient security issue to CVE-2014-8242 from librsync

Summary: rsync equivalient security issue to CVE-2014-8242 from librsync

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/637406/
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-15 21:00 CEST by David Walser
Modified:	2015-10-26 21:02 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	rsync-3.1.1-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-15 21:00:59 CEST

OpenSuSE has issued an advisory today (October 15):
http://lists.opensuse.org/opensuse-updates/2015-10/msg00034.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated rsync package fixes security vulnerability:

Michael Samuel discovered that rsync was vulnerable to checksum collisions.
This could prevent rsync from running and syncing files successfully, which
could break various applications that use and rely on rsync (rhbz#1197601).

The patched rsync will now operate in a way that is not vulnerable to this
issue as long as both the rsync client and rsync server support the new 'C'
option that has been added.  This issue is similar to an issue in librsync
which was fixed in MGASA-2015-0146.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1197601#c4
http://advisories.mageia.org/MGASA-2015-0146.html
========================
rsync-3.1.1-5.1.mga5

from rsync-3.1.1-5.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Dave Hodgins 2015-10-15 22:10:07 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 1 Lewis Smith 2015-10-18 21:43:50 CEST

Testing Mag5 x64 real hardware: rsync-3.1.1-5.mga5

Used the release ISOs, for one particular ISO. *Note that between-release directory & file names must be adjusted between steps*. [I have a tool to do this for me. If you want to play this one - be ultra careful: the slightest local/remote name discrepancy will download entire files, rather than synchronising them].

- rsynced my local most recent [final] ISO directory with its equivalent on the server. It was (as expected) up-to date, so nothing happened; correct behaviour. Checksums OK.
- Copied the 'final' *.iso file to a different directory for future reference.
- rsynced the local 'final' ISO directory with the previous release [rc] on the server. It took about 17m with a speedup of 3.17. Checksums OK.
- rsynced the local 'rc' ISO directory with its server 'final' equivalent. It took about 17m with a speedup of 3.15. Checksums OK.
- As an extra check, 'cmp' the original saved 'final' *.iso file with its new local equivalent. No difference.

This was a very thorough test. Update OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 David Walser 2015-10-19 15:55:46 CEST

I tested it with old client and updated server, updated client and old server, and updated client and updated server, and all worked OK.  Mageia 5 i586.

Whiteboard: advisory MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 3 William Kenney 2015-10-25 15:17:46 CET

Validating this update

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 4 Mageia Robot 2015-10-25 15:39:06 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0409.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2015-10-26 21:02:49 CET

LWN entry for the vulnerability in rsync:
http://lwn.net/Vulnerabilities/662067/

Note You need to log in before you can comment on or make changes to this bug.