Ubuntu has issued an advisory on December 7: https://usn.ubuntu.com/usn/usn-3506-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Hi, The patches apply cleanly and the compilation succeeds but some tests that passed without the patches fail with them. What is the best solution: try to skip those failing tests or try to find in upstream code whether those tests have been updated to pass with the patches? Best regards, Nico.
CC: (none) => nicolas.salguero
https://git.samba.org/?p=rsync.git;a=commit;h=f5e8a17e093065fb20fea00a29540fe2c7896441 contains the fix for the failing tests so I added it.
Suggested advisory: ======================== The updated package fixes security vulnerabilities: The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions. (CVE-2017-17433) The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions. (CVE-2017-17434) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434 https://usn.ubuntu.com/usn/usn-3506-1/ ======================== Updated package in 5/core/updates_testing: ======================== rsync-3.1.1-5.2.mga5 from SRPMS: rsync-3.1.1-5.2.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== rsync-3.1.2-1.1.mga6 from SRPMS: rsync-3.1.2-1.1.mga6.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2017-17433, CVE-2017-17434Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Mageia release 6 (Official) for x86_64 4.9.56-desktop-1.mga6 Updated rsync. Checked the list of available isos using a ruby version of Lewis' onecheck which uses commands of this form: $ RSYNC_PASSWORD=\"#{pwd}\" rsync --list-only rsync://isoqa@bcd.mageia.org/isos/" Selected a release and displayed the information on the server for a selected iso. Ran my local synciso command to rsync the Live Xfce i586 iso. This runs: RSYNC_PASSWORD=\"#{pass}\" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/#{release}/#{name}/ $ synciso receiving incremental file list ./ Mageia-6-LiveDVD-Xfce-i586-DVD.iso.md5.gpg 665 100% 649.41kB/s 0:00:00 (xfr#1, to-chk=9/14) Mageia-6-LiveDVD-Xfce-i586-DVD.iso.sha1.gpg 673 100% 657.23kB/s 0:00:00 (xfr#2, to-chk=7/14) Mageia-6-LiveDVD-Xfce-i586-DVD.iso.sha512.gpg 767 100% 749.02kB/s 0:00:00 (xfr#3, to-chk=5/14) sent 112 bytes received 2,624 bytes 1,824.00 bytes/sec total size is 1,984,052,071 speedup is 725,165.23 That looks fine for 64 bits.
CC: (none) => tarazed25
MGA5-32 on Dell Latitude D600 Xfce No installation issues Testing by transferring some files from my M6 desktop: $ rsync herman@mach1:/home/herman/Documents/airco/* . Password: Files have been transfered correctly.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Mageia 6 :: x86_64 Updated rsync and tested local scripts which use rsync to the isoqa site. They functioned as expected. rsync on the local network ran fine. $ rsync --list-only lcl@vega:data/tv/ Password: drwxr-xr-x 4,096 2017/12/09 20:00:13 . -rw-r--r-- 15,260 2015/11/14 22:46:26 Channels -rw-r--r-- 19,688 2017/07/04 20:54:20 Channels.xspf .............................................. It works OK over the local network also. $ cd trimmers [lcl@markab trimmers]$ ll trimmers -rwxr--r-- 1 lcl lcl 47117 Jan 10 2017 trimmers* $ rsync lcl@belexeuli:trimmers/trimmers . Password: $ ll trimmers -rwxr--r-- 1 lcl lcl 49833 Dec 12 17:57 trimmers* Good for x86_64. Hmm. I seem to have done this one before.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Mageia 5 :: x86_64 $ ll channels.xspf -rw-r--r-- 1 lcl lcl 0 Dec 12 18:04 channels.xspf Fine with local network operation after the update. $ ll channels.xspf -rw-r--r-- 1 lcl lcl 0 Dec 12 18:04 channels.xspf $ rsync lcl@vega:data/tv/channels.xspf . Password: $ ll channels.xspf -rw-r--r-- 1 lcl lcl 18963 Dec 12 18:22 channels.xspf Tried out servercheck and synciso. They worked fine on the WAN.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0452.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED