Package: rsync Version: 2.6.9-3 Severity: serious Tags: security Hi, CVE-2007-4091 has not yet been published on mitre (RESERVED) but Sebastian Krahmer (SuSE) published the issue in his weblog. There is an off-by-one programming error in sender.c He also published a patch which is attached to this mail. More information about the issue can be found on: http://c-skills.blogspot.com/2007/08/cve-2007-4091.html
Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
--- rsync-2.6.9.orig/sender.c 2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c 2007-07-25 15:33:05.000000000 +0200
@@ -123,6 +123,7 @@
char fname[MAXPATHLEN];
struct file_struct *file;
unsigned int offset;
+ size_t l = 0;
if (ndx < 0 || ndx >= the_file_list->count)
return;
@@ -133,6 +134,20 @@
file->dir.root, "/", NULL);
} else
offset = 0;
+
+ l = offset + 1;
+ if (file) {
+ if (file->dirname)
+ l += strlen(file->dirname);
+ if (file->basename)
+ l += strlen(file->basename);
+ }
+
+ if (l >= sizeof(fname)) {
+ rprintf(FERROR, "Overlong pathname\n");
+ exit_cleanup(RERR_FILESELECT);
+ }
+
f_name(file, fname + offset);
if (remove_source_files) {
if (do_unlink(fname) == 0) {
@@ -224,6 +239,7 @@
enum logcode log_code = log_before_transfer ? FLOG : FINFO;
int f_xfer = write_batch < 0 ? batch_fd : f_out;
int i, j;
+ size_t l = 0;
if (verbose > 2)
rprintf(FINFO, "send_files starting\n");
@@ -259,6 +275,20 @@
fname[offset++] = '/';
} else
offset = 0;
+
+ l = offset + 1;
+ if (file) {
+ if (file->dirname)
+ l += strlen(file->dirname);
+ if (file->basename)
+ l += strlen(file->basename);
+ }
+
+ if (l >= sizeof(fname)) {
+ rprintf(FERROR, "Overlong pathname\n");
+ exit_cleanup(RERR_FILESELECT);
+ }
+
fname2 = f_name(file, fname + offset);
if (verbose > 2)
pgp9HDqWkakwy.pgp
Description: PGP signature
