rsync 2.6.6pre1 released (ALERT: info on zlib security flaw)

Dmitry V. Levin ldv at altlinux.org
Sat Jul 9 21:33:11 GMT 2005


On Fri, Jul 08, 2005 at 02:10:19PM -0700, Wayne Davison wrote:
> [I neglected to cross-post this from the rsync-announce list to the
> regular rsync mailing list when I sent this out yesterday.]
> 
> There has been some talk about a zlib security problem that could let
> someone overflow the buffers in the zlib decompression code, potentially
> allowing someone to craft an exploit to execute arbitrary code.  Since
> this is a decompression bug, this can only affect an rsync daemon if
> it allows uploads with the --compress option enabled.

This bug (CAN-2005-2096) in zlib's inflate_table() is zlib-1.2.x only,
zlib-1.1.4 does not contain that code and therefore not vulnerable.
That is, rsync-2.6.5 is not vulnerable.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/rsync/attachments/20050710/b13514aa/attachment.bin


More information about the rsync mailing list