rsync security advisory

[Paul Haas]

On Thu, 4 Dec 2003, Paul Slootman wrote:

> Date: Thu, 4 Dec 2003 11:34:44 +0100
> From: Paul Slootman <paul at debian.org>
> To: rsync at lists.samba.org
> Subject: Re: rsync security advisory
>
> On Thu 04 Dec 2003, Martin Pool wrote:
> >
> >  - rsync version 2.5.6 contains a heap overflow vulnerability that can
> >    be used to remotely run arbitrary code.
>
> Is this specific to 2.5.6, or are earlier versions also vulnerable?
> Important detail, as it makes the difference between needing to upgrade
> older rsync's as well, or only those that are 2.5.6...  As Debian
> provides security patches for the stable release (which contains rsync
> 2.5.5), I'm wondering whether an update for that is necessary.

Sure looks necessary to me.

I downloaded the Debian Stable rsync from
http://ftp.us.debian.org/debian/pool/main/r/rsync/rsync_2.5.5.orig.tar.gz
with the debian patch
http://ftp.us.debian.org/debian/pool/main/r/rsync/rsync_2.5.5-0.1.diff.gz
to get what I hope is the source for 2.5.5-0.1.

I then got the patch
http://rsync.samba.org/ftp/rsync/rsync-2.5.6-2.5.7.diff.gz
It mostly applied to 2.5.5-0.1.  It succeeds on all of the .c files
except for cleanup.c.  It fails on all the non-.c files, mostly because
those changes update the string "2.5.6" to "2.5.7", which fails.

If I understand the attack, it looks like the parts of the
rsync-2.5.6-2.5.7.diff which apply to the Debian Stable rsync-2.5.5-0.1
are sufficient to block such attacks.

The change to cleanup.c fails because the function being changed doesn't
exist in 2.5.5.

That change is
-void close_all()
+void close_all(void)

I don't understand what that changes in the context of a buffer overflow
attack.  On the assumption it does make a difference, you could change
log.c like so
-void log_open()
+void log_open(void)
and
-void log_close()
+void log_close(void)
which fixes the two places in 2.5.5-0.1 where there are empty parameter
lists in a function prototype.

--
Paul Haas paulh at hamjudo.com