On Thu, 4 Dec 2003, Paul Slootman wrote: > Date: Thu, 4 Dec 2003 11:34:44 +0100 > From: Paul Slootman <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: rsync security advisory > > On Thu 04 Dec 2003, Martin Pool wrote: > > > > - rsync version 2.5.6 contains a heap overflow vulnerability that can > > be used to remotely run arbitrary code. > > Is this specific to 2.5.6, or are earlier versions also vulnerable? > Important detail, as it makes the difference between needing to upgrade > older rsync's as well, or only those that are 2.5.6... As Debian > provides security patches for the stable release (which contains rsync > 2.5.5), I'm wondering whether an update for that is necessary.
Sure looks necessary to me. I downloaded the Debian Stable rsync from http://ftp.us.debian.org/debian/pool/main/r/rsync/rsync_2.5.5.orig.tar.gz with the debian patch http://ftp.us.debian.org/debian/pool/main/r/rsync/rsync_2.5.5-0.1.diff.gz to get what I hope is the source for 2.5.5-0.1. I then got the patch http://rsync.samba.org/ftp/rsync/rsync-2.5.6-2.5.7.diff.gz It mostly applied to 2.5.5-0.1. It succeeds on all of the .c files except for cleanup.c. It fails on all the non-.c files, mostly because those changes update the string "2.5.6" to "2.5.7", which fails. If I understand the attack, it looks like the parts of the rsync-2.5.6-2.5.7.diff which apply to the Debian Stable rsync-2.5.5-0.1 are sufficient to block such attacks. The change to cleanup.c fails because the function being changed doesn't exist in 2.5.5. That change is -void close_all() +void close_all(void) I don't understand what that changes in the context of a buffer overflow attack. On the assumption it does make a difference, you could change log.c like so -void log_open() +void log_open(void) and -void log_close() +void log_close(void) which fixes the two places in 2.5.5-0.1 where there are empty parameter lists in a function prototype. -- Paul Haas [EMAIL PROTECTED] -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html