3.1.0 daemon infinite loop when no matched user in secrets

Bug #1307230 reported by Ryan Finnie on 2014-04-13
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsync
Fix Released
High
rsync (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

[Impact]

 * In rsync 3.1.0, with a module configured for user authentication, a remote client can send an invalid username and cause an infinite CPU loop on the server child process.

 * The server master process is unaffected, allowing the remote client to do this multiple times toward system-wide denial of service.

[Test Case]

 * /tmp/rsyncd.conf

[test-module]
  path = /tmp
  auth users = *
  secrets file = /tmp/rsyncd.secrets

 * /tmp/rsyncd.secrets

gooduser:goodpass

 * Server:

chmod 0600 /tmp/rsyncd.secrets
rsync --no-detach --daemon --config /tmp/rsyncd.conf

 * Client:

RSYNC_PASSWORD=badpass rsync rsync://baduser@host/test-module/

[Regression Potential]

 * Legitimate authentication could possibly be broken by the fix.

[Other Info]

 * Upstream fix is git commit 0dedfbce2c1b851684ba658861fe9d620636c56a (https://git.samba.org/?p=rsync.git;a=commitdiff;h=0dedfbce2c1b851684ba658861fe9d620636c56a)
 * Patch has been tested by the reporter

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: rsync 3.1.0-2
ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
Uname: Linux 3.13.0-24-generic x86_64
ApportVersion: 2.14.1-0ubuntu2
Architecture: amd64
Date: Sun Apr 13 13:59:38 2014
InstallationDate: Installed on 2012-04-17 (726 days ago)
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Beta amd64 (20120415)
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: rsync
UpgradeStatus: Upgraded to trusty on 2014-04-13 (0 days ago)
mtime.conffile..etc.default.rsync: 2012-05-26T00:47:05.076019

CVE References

Ryan Finnie (fo0bar) wrote :
affects: rsync (Ubuntu) → rsync
affects: rsync → rsync (Ubuntu)
Ryan Finnie (fo0bar) on 2014-04-13
information type: Public → Private Security
description: updated
Changed in rsync:
importance: Unknown → High
status: Unknown → Fix Released
Marc Deslauriers (mdeslaur) wrote :
information type: Private Security → Public Security
Changed in rsync (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsync - 3.1.0-2ubuntu0.1

---------------
rsync (3.1.0-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via invalid username (LP: #1307230)
    - debian/patches/CVE-2014-2855.diff: avoid infinite wait reading
      secrets file in authenticate.c.
    - CVE-2014-2855
 -- Marc Deslauriers <email address hidden> Thu, 17 Apr 2014 12:56:34 -0400

Changed in rsync (Ubuntu Trusty):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.