Ubuntu has issued an advisory on January 23: https://usn.ubuntu.com/usn/usn-3543-1/ The issue will be fixed upstream in 3.1.3. Ubuntu has a link to the upstream commit to fix the issue from here: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5764.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, nicolas.salguero
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated rsync package fixes security vulnerability: It was discovered that rsync incorrectly parsed certain arguments. An attacker could possibly use this to bypass arguments and execute arbitrary code (CVE-2018-5764). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764 https://usn.ubuntu.com/usn/usn-3543-1/ ======================== Updated packages in core/updates_testing: ======================== rsync-3.1.1-5.4.mga5 rsync-3.1.2-1.3.mga6 from SRPMS: rsync-3.1.1-5.4.mga5.src.rpm rsync-3.1.2-1.3.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => MGA5TOOAssignee: pkg-bugs => qa-bugs
Testing M5/64 AFTER update: rsync-3.1.1-5.4.mga5 "A remote user can send multiple '--protect-args' values to bypass the argument-sanitization protection mechanism on the target system". Could not find a PoC. Used rsync to update my local M6 Gnome Live ISO from the rsync directory, which took some time - not done much before M6 release. Result checksummed OK. Rsync'd 2 identical local directories - instantaneous. OK for Mageia 5 x64. Doing the advisory.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OKKeywords: (none) => advisory
Installed and tested without issues. Tested by syncing local to local, remote (ssh) to local and local to remote (ssh). Syncing inplace some large files (VM images) and using rsnapshot (that uses rsync) to make backups of hundreds of GiB file systems with millions of files. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q rsync rsync-3.1.2-1.3.mga6
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => mageia
Since we no longer insist on 32-bit testing these two tests suffice so the update can be validated.
Keywords: (none) => validated_updateCC: (none) => tarazed25, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0103.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED