GLSA-200407-10 : rsync: Directory traversal in rsync daemon

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200407-10
(rsync: Directory traversal in rsync daemon)

When rsyncd is used without chroot ('use chroot = false' in the rsyncd.conf
file), the paths sent by the client are not checked thoroughly enough. If
rsyncd is used with read-write permissions ('read only = false'), this
vulnerability can be used to write files anywhere with the rights of the
rsyncd daemon. With default Gentoo installations, rsyncd runs in a chroot,
without write permissions and with the rights of the 'nobody' user.

Impact :

On affected configurations and if the rsync daemon runs under a privileged
user, a remote client can exploit this vulnerability to completely
compromise the host.

Workaround :

You should never set the rsync daemon to run with 'use chroot = false'. If
for some reason you have to run rsyncd without a chroot, then you should
not set 'read only = false'.

See also :

http://www.gentoo.org/security/en/glsa/glsa-200407-10.xml

Solution :

All users should update to the latest version of the rsync package.
# emerge sync
# emerge -pv '>=net-misc/rsync-2.6.0-r2'
# emerge '>=net-misc/rsync-2.6.0-r2'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14543 (gentoo_GLSA-200407-10.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0426