Bug 22216 - rsync new security issue CVE-2017-16548
Summary: rsync new security issue CVE-2017-16548
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2017-12-18 14:52 CET by David Walser
Modified: 2017-12-21 18:44 CET (History)
5 users (show)

See Also:
Source RPM: rsync-3.1.2-1.1.mga6.src.rpm
CVE: CVE-2017-16548
Status comment:


Description David Walser 2017-12-18 14:52:47 CET
Debian has issued an advisory on December 17:

The Debian page about the CVE has a link to the upstream commit to fix it:

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-18 14:53:06 CET

Severity: normal => critical
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-12-18 16:41:10 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2017-12-19 10:57:15 CET
Suggested advisory:

The updated package fixes a security vulnerability:

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. (CVE-2017-16548)


Updated package in 5/core/updates_testing:

from SRPMS:

Updated package in 6/core/updates_testing:

from SRPMS:

CVE: (none) => CVE-2017-16548
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 3 Len Lawrence 2017-12-20 22:39:43 CET
Mageia 5 :: x86_64
Updated the package.
Used rsync to copy a text file from one machine to another on the LAN.
Edited the file then moved to the other machine and synchronized a copy of the original file with the remote file and then used diff to show the differences between the original and the rsynced file.  All in order.

Changed directory to the Mageia-6-LiveDVD-Xfce-i586-DVD directory and ran the command:
$ RSYNC_PASSWORD="<password>" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/mageia6/Mageia-6-LiveDVD-Xfce-i586-DVD/ .
receiving incremental file list

sent 20 bytes  received 379 bytes  266.00 bytes/sec
total size is 1,984,052,071  speedup is 4,972,561.58

which is expected.

This is fine for mga5::x86_64.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Len Lawrence 2017-12-21 08:29:39 CET
Mageia 6 :: x86_64

Installed the update and ran similar tests to those in comment 3 using rsync to download remote files, overwrite local files and synchronize a Mageia iso.
No regressions.
Passing this for mga6 on 64-bit architecture.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 5 Lewis Smith 2017-12-21 13:24:06 CET
Thanks Len for both your rapid tests. Validating + advisory.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-12-21 18:44:31 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.