rsync: Several vulnerabilities (CVE-2017-16548, CVE-2017-17433, CVE-2017-17434)
CVE-2017-16548: The receive_xattr function in xattrs.c in rsync
3.1.2 and 3.1.3-development does not check for a trailing ‘\0’
character in an xattr name, which allows remote attackers to cause a
denial of service (heap-based buffer over-read and
application crash) or possibly have unspecified other impact by sending
crafted data to the daemon.
References:
https://bugzilla.samba.org/show\_bug.cgi?id=13112
https://nvd.nist.gov/vuln/detail/CVE-2017-16548
Patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
CVE-2017-17433: The recv_files function in receiver.c in the daemon
in rsync 3.1.2, and 3.1.3-development before 2017-12-03,
proceeds with certain file metadata updates before checking for a
filename in the daemon_filter_list data structure, which allows
remote attackers to bypass intended access restrictions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-17433
Patch:
https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
CVE-2017-17434: The daemon in rsync 3.1.2, and 3.1.3-development
before 2017-12-03, does not check for fnamecmp filenames in the
daemon_filter_list data structure (in the recv_files function in
receiver.c) and also does not apply the sanitize_paths protection
mechanism
to pathnames found in “xname follows” strings (in the
read_ndx_and_attrs function in rsync.c), which allows remote
attackers to bypass
intended access restrictions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-17434
Patches:
https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1
https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
(from redmine: issue id 8316, created on 2017-12-19, closed on 2018-01-02)
- Relations:
- child #8317 (closed)
- child #8318 (closed)
- child #8319 (closed)
- child #8320 (closed)
- child #8321 (closed)