30696 – rsync new security issue CVE-2022-29154

Bug 30696 - rsync new security issue CVE-2022-29154

Summary: rsync new security issue CVE-2022-29154

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-08-03 00:45 CEST by David Walser
Modified:	2022-08-25 23:23 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	rsync-3.2.2-2.mga8.src.rpm
CVE:	CVE-2022-29154
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-03 00:45:20 CEST

A security issue in rsync has been announced today (August 2):
https://seclists.org/oss-sec/2022/q3/77

The issue will be fixed in 3.2.5.

Mageia 8 is also affected.

David Walser 2022-08-03 00:45:26 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-08-03 01:20:41 CEST

openwall version of the URL:
https://www.openwall.com/lists/oss-security/2022/08/02/1

Comment 2 Lewis Smith 2022-08-03 21:36:17 CEST

Obliged to assign this globally, no one packager in evidence.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2022-08-17 18:59:51 CEST

openSUSE has issued an advisory for this on August 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OZDMOCCGHF4NPIRQFQC2LBFH6YXI6QMU/

Stig-Ørjan has updated Cauldron to 3.2.5.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: (none) => Fixed upstream in 3.2.5
CC: (none) => smelror

Comment 4 Nicolas Salguero 2022-08-22 16:46:24 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
https://seclists.org/oss-sec/2022/q3/77
https://www.openwall.com/lists/oss-security/2022/08/02/1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OZDMOCCGHF4NPIRQFQC2LBFH6YXI6QMU/
========================

Updated package in core/updates_testing:
========================
rsync-3.2.2-2.1.mga8

from SRPM:
rsync-3.2.2-2.1.mga8.src.rpm

Source RPM: rsync-3.2.4-1.mga9.src.rpm => rsync-3.2.2-2.mga8.src.rpm
CVE: (none) => CVE-2022-29154
Status comment: Fixed upstream in 3.2.5 => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 5 Thomas Andrews 2022-08-23 17:56:50 CEST

No installation issues.

Tested with Qarepo set to use an "rsync" mirror for downloading. Downloaded core versions of a package for testing, then after the test downloaded tainted versions. No issues noted.

Giving this an OK, and validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-08-24 22:41:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-25 23:23:05 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0302.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.