Your message dated Wed, 15 Aug 2007 19:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#438125: fixed in rsync 2.6.9-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: rsync
Version: 2.6.9-3
Severity: serious
Tags: security
Hi,
CVE-2007-4091 has not yet been published on mitre (RESERVED)
but Sebastian Krahmer (SuSE) published the issue in his
weblog. There is an off-by-one programming error in sender.c
He also published a patch which is attached to this mail.
More information about the issue can be found on:
http://c-skills.blogspot.com/2007/08/cve-2007-4091.html
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
--- rsync-2.6.9.orig/sender.c 2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c 2007-07-25 15:33:05.000000000 +0200
@@ -123,6 +123,7 @@
char fname[MAXPATHLEN];
struct file_struct *file;
unsigned int offset;
+ size_t l = 0;
if (ndx < 0 || ndx >= the_file_list->count)
return;
@@ -133,6 +134,20 @@
file->dir.root, "/", NULL);
} else
offset = 0;
+
+ l = offset + 1;
+ if (file) {
+ if (file->dirname)
+ l += strlen(file->dirname);
+ if (file->basename)
+ l += strlen(file->basename);
+ }
+
+ if (l >= sizeof(fname)) {
+ rprintf(FERROR, "Overlong pathname\n");
+ exit_cleanup(RERR_FILESELECT);
+ }
+
f_name(file, fname + offset);
if (remove_source_files) {
if (do_unlink(fname) == 0) {
@@ -224,6 +239,7 @@
enum logcode log_code = log_before_transfer ? FLOG : FINFO;
int f_xfer = write_batch < 0 ? batch_fd : f_out;
int i, j;
+ size_t l = 0;
if (verbose > 2)
rprintf(FINFO, "send_files starting\n");
@@ -259,6 +275,20 @@
fname[offset++] = '/';
} else
offset = 0;
+
+ l = offset + 1;
+ if (file) {
+ if (file->dirname)
+ l += strlen(file->dirname);
+ if (file->basename)
+ l += strlen(file->basename);
+ }
+
+ if (l >= sizeof(fname)) {
+ rprintf(FERROR, "Overlong pathname\n");
+ exit_cleanup(RERR_FILESELECT);
+ }
+
fname2 = f_name(file, fname + offset);
if (verbose > 2)
pgpoRuuhg3nzG.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: rsync
Source-Version: 2.6.9-5
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive:
rsync_2.6.9-5.diff.gz
to pool/main/r/rsync/rsync_2.6.9-5.diff.gz
rsync_2.6.9-5.dsc
to pool/main/r/rsync/rsync_2.6.9-5.dsc
rsync_2.6.9-5_amd64.deb
to pool/main/r/rsync/rsync_2.6.9-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <[EMAIL PROTECTED]> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 15 Aug 2007 21:24:47 +0200
Source: rsync
Binary: rsync
Architecture: source amd64
Version: 2.6.9-5
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <[EMAIL PROTECTED]>
Changed-By: Paul Slootman <[EMAIL PROTECTED]>
Description:
rsync - fast remote file copy program (like rcp)
Closes: 438125
Changes:
rsync (2.6.9-5) unstable; urgency=high
.
* fix two off-by-one errors leading to potential buffer overflow which may
corrupt the stack (CVE-2007-4091)
closes:#438125
Files:
0742560bcdcdc1e08ec224a2a8029184 556 net optional rsync_2.6.9-5.dsc
5fa7b565e7de5365d172aad041ab3992 38544 net optional rsync_2.6.9-5.diff.gz
4d29fcd2856c5ed4291e3c15f7774fd8 275002 net optional rsync_2.6.9-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFGw1X+utvvqbTW3hMRAgoXAJ4zTJCGnbHpc40A0R+b/Yf3gbsC3wCfUL0w
LhACToxV72HxJCNS3JtJGcA=
=P1QW
-----END PGP SIGNATURE-----
--- End Message ---
