http://security.cucumberlinux.com/security/details.php?id=170

https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1

https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9

[debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update

DSA-4068

According to the version of the rsync package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

  - The daemon in rsync 3.1.2, and 3.1.3-development before     2017-12-03, does not check for fnamecmp filenames in     the daemon_filter_list data structure (in the     recv_files function in receiver.c) and also does not     apply the sanitize_paths protection mechanism to     pathnames found in 'xname follows' strings (in the     read_ndx_and_attrs function in rsync.c), which allows     remote attackers to bypass intended access     restrictions.(CVE-2017-17434)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the rsync package has been released.

According to the versions of the rsync package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The recv_files function in receiver.c in the daemon in     rsync 3.1.2, and 3.1.3-development before 2017-12-03,     proceeds with certain file metadata updates before     checking for a filename in the daemon_filter_list data     structure, which allows remote attackers to bypass     intended access restrictions.(CVE-2017-17433)

  - The daemon in rsync 3.1.2, and 3.1.3-development before     2017-12-03, does not check for fnamecmp filenames in     the daemon_filter_list data structure (in the     recv_files function in receiver.c) and also does not     apply the sanitize_paths protection mechanism to     pathnames found in 'xname follows' strings (in the     read_ndx_and_attrs function in rsync.c), which allows     remote attackers to bypass intended access     restrictions.(CVE-2017-17434)

  - The parse_arguments function in options.c in rsyncd in     rsync before 3.1.3 does not prevent multiple
    --protect-args uses, which allows remote attackers to     bypass an argument-sanitization protection     mechanism.(CVE-2018-5764)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of 'rsync', 'linux' packages of Photon OS has been released.

An update of {'glibc', 'linux', 'rsync', 'curl'} packages of Photon OS has been released.

According to the versions of the rsync package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The recv_files function in receiver.c in the daemon in     rsync 3.1.2, and 3.1.3-development before 2017-12-03,     proceeds with certain file metadata updates before     checking for a filename in the daemon_filter_list data     structure, which allows remote attackers to bypass     intended access restrictions.(CVE-2017-17433)

  - The daemon in rsync 3.1.2, and 3.1.3-development before     2017-12-03, does not check for fnamecmp filenames in     the daemon_filter_list data structure (in the     recv_files function in receiver.c) and also does not     apply the sanitize_paths protection mechanism to     pathnames found in 'xname follows' strings (in the     read_ndx_and_attrs function in rsync.c), which allows     remote attackers to bypass intended access     restrictions.(CVE-2017-17434)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for rsync fixes several issues. These security issues were fixed :

  - CVE-2017-17434: The daemon in rsync did not check for     fnamecmp filenames in the daemon_filter_list data     structure (in the recv_files function in receiver.c) and     also did not apply the sanitize_paths protection     mechanism to pathnames found in 'xname follows' strings     (in the read_ndx_and_attrs function in rsync.c), which     allowed remote attackers to bypass intended access     restrictions' (bsc#1071460).

  - CVE-2017-17433: The recv_files function in receiver.c in     the daemon in rsync, proceeded with certain file     metadata updates before checking for a filename in the     daemon_filter_list data structure, which allowed remote     attackers to bypass intended access restrictions     (bsc#1071459).

  - CVE-2017-16548: The receive_xattr function in xattrs.c     in rsync did not check for a trailing '\\0' character in     an xattr name, which allowed remote attackers to cause a     denial of service (heap-based buffer over-read and     application crash) or possibly have unspecified other     impact by sending crafted data to the daemon     (bsc#1066644).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for rsync fixes the following issues: Security issues fixed :

  - CVE-2017-17434: The daemon in rsync did not check for     fnamecmp filenames in the daemon_filter_list data     structure (in the recv_files function in receiver.c) and     also did not apply the sanitize_paths protection     mechanism to pathnames found in 'xname follows' strings     (in the read_ndx_and_attrs function in rsync.c), which     allowed remote attackers to bypass intended access     restrictions' (bsc#1071460).

  - CVE-2017-17433: The recv_files function in receiver.c in     the daemon in rsync, proceeded with certain file     metadata updates before checking for a filename in the     daemon_filter_list data structure, which allowed remote     attackers to bypass intended access restrictions     (bsc#1071459).

  - CVE-2017-16548: The receive_xattr function in xattrs.c     in rsync did not check for a trailing '\\0' character in     an xattr name, which allowed remote attackers to cause a     denial of service (heap-based buffer over-read and     application crash) or possibly have unspecified other     impact by sending crafted data to the daemon     (bsc#1066644).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201801-16 (rsync: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in rsync. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could bypass intended access restrictions or cause a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This update for rsync fixes the several issues.

These security issues were fixed :

  - CVE-2017-17434: The daemon in rsync did not check for     fnamecmp filenames in the daemon_filter_list data     structure (in the recv_files function in receiver.c) and     also did not apply the sanitize_paths protection     mechanism to pathnames found in 'xname follows' strings     (in the read_ndx_and_attrs function in rsync.c), which     allowed remote attackers to bypass intended access     restrictions' (bsc#1071460).

  - CVE-2017-17433: The recv_files function in receiver.c in     the daemon in rsync, proceeded with certain file     metadata updates before checking for a filename in the     daemon_filter_list data structure, which allowed remote     attackers to bypass intended access restrictions     (bsc#1071459).

  - CVE-2017-16548: The receive_xattr function in xattrs.c     in rsync did not check for a trailing '\\0' character in     an xattr name, which allowed remote attackers to cause a     denial of service (heap-based buffer over-read and     application crash) or possibly have unspecified other     impact by sending crafted data to the daemon     (bsc#1066644).

  - CVE-2014-9512: Prevent attackers to write to arbitrary     files via a symlink attack on a file in the     synchronization path (bsc#915410).

These non-security issues were fixed :

  - Stop file upload after errors like a full disk     (boo#1062063)

  - Ensure -X flag works even when setting owner/group     (boo#1028842)

Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool, allowing a remote attacker to bypass intended access restrictions or cause a denial of service.

For Debian 7 'Wheezy', these problems have been fixed in version 3.0.9-4+deb7u1.

We recommend that you upgrade your rsync packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jeriko One reports :

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.

The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in 'xname follows' strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.

Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool, allowing a remote attacker to bypass intended access restrictions or cause a denial of service.

It was discovered that rsync proceeds with certain file metadata updates before checking for a filename. An attacker could use this to bypass access restrictions. (CVE-2017-17433)

It was discovered that rsync does not check for fnamecmp filenames and also does not apply the sanitize_paths protection mechanism to pathnames. An attacker could use this to bypass access restrictions.
(CVE-2017-17434).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124963	EulerOS Virtualization 3.0.1.0 : rsync (EulerOS-SA-2019-1460)	Nessus	Huawei Local Security Checks	high
121904	Photon OS 2.0: Rsync PHSA-2018-2.0-0009	Nessus	PhotonOS Local Security Checks	high
121795	Photon OS 1.0: Rsync PHSA-2018-1.0-0096	Nessus	PhotonOS Local Security Checks	high
117553	EulerOS Virtualization 2.5.0 : rsync (EulerOS-SA-2018-1244)	Nessus	Huawei Local Security Checks	high
111907	Photon OS 1.0: Linux / Rsync PHSA-2018-1.0-0096 (deprecated)	Nessus	PhotonOS Local Security Checks	high
111278	Photon OS 2.0 : glibc / linux / rsync / curl (PhotonOS-PHSA-2018-2.0-0009) (deprecated)	Nessus	PhotonOS Local Security Checks	high
106153	EulerOS 2.0 SP2 : rsync (EulerOS-SA-2018-1012)	Nessus	Huawei Local Security Checks	high
106152	EulerOS 2.0 SP1 : rsync (EulerOS-SA-2018-1011)	Nessus	Huawei Local Security Checks	high
106129	SUSE SLED12 / SLES12 Security Update : rsync (SUSE-SU-2018:0118-1)	Nessus	SuSE Local Security Checks	high
106128	SUSE SLES11 Security Update : rsync (SUSE-SU-2018:0117-1)	Nessus	SuSE Local Security Checks	high
106087	GLSA-201801-16 : rsync: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
106063	openSUSE Security Update : rsync (openSUSE-2018-34)	Nessus	SuSE Local Security Checks	high
105425	Debian DLA-1218-1 : rsync security update	Nessus	Debian Local Security Checks	high
105406	FreeBSD : rsync -- multiple vulnerabilities (72fff788-e561-11e7-8097-0800271d4b9c)	Nessus	FreeBSD Local Security Checks	high
105332	Debian DSA-4068-1 : rsync - security update	Nessus	Debian Local Security Checks	high
105099	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : rsync vulnerabilities (USN-3506-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2017-17434

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins