[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #6 from gaojianfeng --- (In reply to Wayne Davison from comment #3) yes ! In newest version rsync(3.1.1),directly modify the file path into absolute path is not hijack succeed due to the security checks,but using symbolic links still can bypass security checks and spoofing client. A new bug I submitted :https://bugzilla.samba.org/show_bug.cgi?id=10977 -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #5 from Wayne Davison --- (In reply to roland from comment #4) Yes, those are the commits for this bug. -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #4 from roland --- that fix is this two commits, correct ? https://git.samba.org/?p=rsync.git;a=commit;h=371242e4e8150d4f9cc74cdf2d75d8250535175e https://git.samba.org/?p=rsync.git;a=commit; h=4cad402ea8a91031f86c53961d78bb7f4f174790 -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 Wayne Davison changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #3 from Wayne Davison --- In your test, you didn't use 3.1.1 on the client side. This was fixed in that release: ABORTING due to unsafe pathname from sender: /root/pwned.test -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: [Bug 10936] Rsync path hijacking attack vulnerability
This may seem silly, but isn't the point of asking an rsync server for files to create that you trust the server to tell you what files to ... Wait, are you saying that the client will ignore the subtree that it thinks it is traversing? That the client does not sanity check the path it gets from the server? "Never trust your client" just became "never trust your server" :-). But it brings up an interesting question. Do servers also accept any filename from the client? -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #2 from gaojianfeng --- (In reply to roland from comment #1) yes -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #1 from roland --- in other words - a malicious rsync server can force a client to create any file in any path, as long as the client can write to that path ? indeed, interesting find - and a security bug then. -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
