Package: rsync
Version: 3.2.3-8
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
There is apparently an integer overflow somewhere in rsync.
When using
rsync -rlptzv --progress <remote> <local>
to update a big file (870 MB), an unexpected large negative integer
was displayed for a short period. I didn't have the time to copy-paste
the output, bug the integer was so large that it wasn't erased
completely. I got progress lines like:
255,484,704 28% 13.39MB/s 0:00:47 -8:-8
with "-8:-8" left over.
This might be a security issue. I also wonder whether due to internal
inconsistencies, files may incorrectly be rsync'ed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rsync depends on:
ii init-system-helpers 1.61
ii libacl1 2.3.1-1
ii libc6 2.33-1
ii liblz4-1 1.9.3-2
ii libpopt0 1.18-3
ii libssl1.1 1.1.1l-1
ii libxxhash0 0.8.0-2
ii libzstd1 1.4.8+dfsg-3
ii lsb-base 11.1.0
ii zlib1g 1:1.2.11.dfsg-2
rsync recommends no packages.
Versions of packages rsync suggests:
ii openssh-client 1:8.7p1-2
ii openssh-server 1:8.7p1-2
ii python3 3.9.8-1
-- no debconf information
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
