rsync security advisory
paulh at hamjudo.com
Fri Dec 5 02:34:18 EST 2003
On Thu, 4 Dec 2003, Paul Slootman wrote:
> Date: Thu, 4 Dec 2003 11:34:44 +0100
> From: Paul Slootman <paul at debian.org>
> To: rsync at lists.samba.org
> Subject: Re: rsync security advisory
> On Thu 04 Dec 2003, Martin Pool wrote:
> > - rsync version 2.5.6 contains a heap overflow vulnerability that can
> > be used to remotely run arbitrary code.
> Is this specific to 2.5.6, or are earlier versions also vulnerable?
> Important detail, as it makes the difference between needing to upgrade
> older rsync's as well, or only those that are 2.5.6... As Debian
> provides security patches for the stable release (which contains rsync
> 2.5.5), I'm wondering whether an update for that is necessary.
Sure looks necessary to me.
I downloaded the Debian Stable rsync from
with the debian patch
to get what I hope is the source for 2.5.5-0.1.
I then got the patch
It mostly applied to 2.5.5-0.1. It succeeds on all of the .c files
except for cleanup.c. It fails on all the non-.c files, mostly because
those changes update the string "2.5.6" to "2.5.7", which fails.
If I understand the attack, it looks like the parts of the
rsync-2.5.6-2.5.7.diff which apply to the Debian Stable rsync-2.5.5-0.1
are sufficient to block such attacks.
The change to cleanup.c fails because the function being changed doesn't
exist in 2.5.5.
That change is
I don't understand what that changes in the context of a buffer overflow
attack. On the assumption it does make a difference, you could change
log.c like so
which fixes the two places in 2.5.5-0.1 where there are empty parameter
lists in a function prototype.
Paul Haas paulh at hamjudo.com
More information about the rsync