Ubuntu
rsync package

Rsync path spoofing attack vulnerability

Bug #1531061 reported by Taylor Raack
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
rsync (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Trusty by Rolf Leggewie
Nominated for Xenial by Rolf Leggewie

Bug Description

A security fix in rsync 3.1.2 was released, adding extra check to the file list to prevent a malicious sender to use unsafe destination path for transferred file, such as just-sent symlink.

Details on the bug from rsync's page (hosted at samba), replication information, patch information can be found here: https://bugzilla.samba.org/show_bug.cgi?id=10977

Upstream patch:

https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b

Seems like this should be backported to currently supported LTS and regular releases as a security update?

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks like this is http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9512.html

information type: Private Security → Public Security
Changed in rsync (Ubuntu):
status: New → Confirmed
Revision history for this message
Rolf Leggewie (r0lf) wrote :

This was indeed fixed in xenial and trusty already. Thanks for reporting.

rsync (3.1.1-3ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: incomplete fix for rsync path spoofing attack
    - debian/patches/CVE-2014-9512-2.diff: add parent-dir validation for
      --no-inc-recurse too in flist.c, generator.c.
    - CVE-2014-9512

 -- Marc Deslauriers <email address hidden> Tue, 19 Jan 2016 14:58:35 -0500

Changed in rsync (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.