Bug 22161 - rsync new security issues CVE-2017-17433 and CVE-2017-17434
Summary: rsync new security issues CVE-2017-17433 and CVE-2017-17434
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2017-12-09 21:21 CET by David Walser
Modified: 2017-12-17 00:20 CET (History)
5 users (show)

See Also:
Source RPM: rsync-3.1.2-1.mga6.src.rpm
CVE: CVE-2017-17433, CVE-2017-17434
Status comment:


Description David Walser 2017-12-09 21:21:58 CET
Ubuntu has issued an advisory on December 7:

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-09 21:22:05 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-12-10 09:29:15 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2017-12-11 10:49:46 CET

The patches apply cleanly and the compilation succeeds but some tests that passed without the patches fail with them.

What is the best solution: try to skip those failing tests or try to find in upstream code whether those tests have been updated to pass with the patches?

Best regards,


CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2017-12-11 11:10:02 CET
https://git.samba.org/?p=rsync.git;a=commit;h=f5e8a17e093065fb20fea00a29540fe2c7896441 contains the fix for the failing tests so I added it.
Comment 4 Nicolas Salguero 2017-12-11 11:16:40 CET
Suggested advisory:

The updated package fixes security vulnerabilities:

The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions. (CVE-2017-17433)

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions. (CVE-2017-17434)


Updated package in 5/core/updates_testing:

from SRPMS:

Updated package in 6/core/updates_testing:

from SRPMS:

Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-17433, CVE-2017-17434
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 5 Len Lawrence 2017-12-12 00:31:40 CET
Mageia release 6 (Official) for x86_64

Updated rsync.

Checked the list of available isos using a ruby version of Lewis' onecheck which uses commands of this form: 
$ RSYNC_PASSWORD=\"#{pwd}\" rsync --list-only rsync://isoqa@bcd.mageia.org/isos/"
Selected a release and displayed the information on the server for a selected iso.

Ran my local synciso command to rsync the Live Xfce i586 iso.
This runs:
RSYNC_PASSWORD=\"#{pass}\" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/#{release}/#{name}/ 
$ synciso
receiving incremental file list
            665 100%  649.41kB/s    0:00:00 (xfr#1, to-chk=9/14)
            673 100%  657.23kB/s    0:00:00 (xfr#2, to-chk=7/14)
            767 100%  749.02kB/s    0:00:00 (xfr#3, to-chk=5/14)

sent 112 bytes  received 2,624 bytes  1,824.00 bytes/sec
total size is 1,984,052,071  speedup is 725,165.23

That looks fine for 64 bits.

CC: (none) => tarazed25

Comment 6 Herman Viaene 2017-12-12 12:05:20 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Testing by transferring some files from my M6 desktop:
$ rsync herman@mach1:/home/herman/Documents/airco/* .
Files have been transfered correctly.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 7 Len Lawrence 2017-12-12 18:58:30 CET
Mageia 6 :: x86_64

Updated rsync and tested local scripts which use rsync to the isoqa site.  They functioned as expected.

rsync on the local network ran fine.

$ rsync --list-only lcl@vega:data/tv/
drwxr-xr-x          4,096 2017/12/09 20:00:13 .
-rw-r--r--         15,260 2015/11/14 22:46:26 Channels
-rw-r--r--         19,688 2017/07/04 20:54:20 Channels.xspf

It works OK over the local network also.
$ cd trimmers
[lcl@markab trimmers]$ ll trimmers
-rwxr--r-- 1 lcl lcl 47117 Jan 10  2017 trimmers*
$ rsync lcl@belexeuli:trimmers/trimmers .
$ ll trimmers
-rwxr--r-- 1 lcl lcl 49833 Dec 12 17:57 trimmers*

Good for x86_64.
Hmm.  I seem to have done this one before.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 8 Len Lawrence 2017-12-12 19:26:50 CET
Mageia 5 :: x86_64

$ ll channels.xspf 
-rw-r--r-- 1 lcl lcl 0 Dec 12 18:04 channels.xspf

Fine with local network operation after the update.

$ ll channels.xspf 
-rw-r--r-- 1 lcl lcl 0 Dec 12 18:04 channels.xspf
$ rsync lcl@vega:data/tv/channels.xspf .
$ ll channels.xspf
-rw-r--r-- 1 lcl lcl 18963 Dec 12 18:22 channels.xspf

Tried out servercheck and synciso.  They worked fine on the WAN.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK

Lewis Smith 2017-12-16 08:31:17 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 9 Mageia Robot 2017-12-17 00:20:56 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.