22461 – rsync new security issue CVE-2018-5764

Bug 22461 - rsync new security issue CVE-2018-5764

Summary: rsync new security issue CVE-2018-5764

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-01-26 05:16 CET by David Walser
Modified:	2018-01-31 21:48 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	rsync-3.1.2-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-01-26 05:16:57 CET

Ubuntu has issued an advisory on January 23:
https://usn.ubuntu.com/usn/usn-3543-1/

The issue will be fixed upstream in 3.1.3.

Ubuntu has a link to the upstream commit to fix the issue from here:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5764.html

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-01-26 05:17:05 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-01-26 07:28:48 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero

Comment 2 David Walser 2018-01-28 22:45:48 CET

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated rsync package fixes security vulnerability:

It was discovered that rsync incorrectly parsed certain arguments. An attacker
could possibly use this to bypass arguments and execute arbitrary code
(CVE-2018-5764).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764
https://usn.ubuntu.com/usn/usn-3543-1/
========================

Updated packages in core/updates_testing:
========================
rsync-3.1.1-5.4.mga5
rsync-3.1.2-1.3.mga6

from SRPMS:
rsync-3.1.1-5.4.mga5.src.rpm
rsync-3.1.2-1.3.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 3 Lewis Smith 2018-01-29 14:48:52 CET

Testing M5/64
AFTER update: rsync-3.1.1-5.4.mga5

"A remote user can send multiple '--protect-args' values to bypass the argument-sanitization protection mechanism on the target system". Could not find a PoC.
Used rsync to update my local M6 Gnome Live ISO from the rsync directory, which took some time - not done much before M6 release. Result checksummed OK.
Rsync'd 2 identical local directories - instantaneous.

OK for Mageia 5 x64. Doing the advisory.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Keywords: (none) => advisory

Comment 4 PC LX 2018-01-30 00:34:38 CET

Installed and tested without issues.

Tested by syncing local to local, remote (ssh) to local and local to remote (ssh). Syncing inplace some large files (VM images) and using rsnapshot (that uses rsync) to make backups of hundreds of GiB file systems with millions of files.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q rsync
rsync-3.1.2-1.3.mga6

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => mageia

Comment 5 Len Lawrence 2018-01-31 17:40:21 CET

Since we no longer insist on 32-bit testing these two tests suffice so the update can be validated.

Keywords: (none) => validated_update
CC: (none) => tarazed25, sysadmin-bugs

Comment 6 Mageia Robot 2018-01-31 21:48:22 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0103.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.