Re: [Fink-users] Re: Latest security update and rsync

Alexander K. Hansen Fri, 03 Mar 2006 07:50:09 -0800

To clarify  the situation, I'll quote what Apple said about the update
(http://docs.info.apple.com/article.html?artnum=303382)



rsync

CVE-ID: CVE-2005-3712

Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Authenticated users may cause an rsync server to crash or
execute arbitrary code

Description: A heap-based buffer overflow may be triggered when the
rsync server is used with the flag that allows extended attributes to
be transferred. It may be possible for a malicious user with access to
an rsync server to cause denial of service or code execution. This
update addresses the problem by ensuring that the destination buffer
is large enough to hold the extended attributes. This issue does not
affect systems prior to Mac OS X v10.4. Credit to Jan-Derk Bakker for
reporting this issue.

----
So Panther is fine.

In addition, fink uses "rsync" rather than "/usr/bin/rsync" so
installing the Fink rsync package will work.  If you need to sync
files with extended attributes, e.g. resource forks, then your scripts
should just call /usr/bin/rsync explicitly.

--
Alexander K. Hansen
Fink Documenter
[Day Job] Levitated Dipole Experiment
http://psfcwww2.psfc.mit.edu/ldx/


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Fink-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fink-users

Re: [Fink-users] Re: Latest security update and rsync

Reply via email to