GLSA-200504-12 : rsnapshot: Local privilege escalation
Medium Nessus Plugin ID 18045
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200504-12 (rsnapshot: Local privilege escalation)
The copy_symlink() subroutine in rsnapshot follows symlinks when changing file ownership, instead of changing the ownership of the symlink itself.
Under certain circumstances, local attackers can exploit this vulnerability to take ownership of arbitrary files, resulting in local privilege escalation.
The copy_symlink() subroutine is not called if the cmd_cp parameter has been enabled.
SolutionAll rsnapshot users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose app-backup/rsnapshot