CVE-2007-4091

Paul Slootman paul+rsync at wurtel.net
Thu Aug 30 09:12:08 GMT 2007


On Thu 30 Aug 2007, Sven.Hartrumpf at FernUni-Hagen.de wrote:
> Thu, 30 Aug 2007 01:41:01 -0400, danno wrote:

> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091
> > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4091
> 
> SUSE has provided fixed RPMs for SUSE 10.0 - 10.2 some days ago.
> But rsync's cvs sources do not contain the string "4091", yet.

While preparing an update for Debian due to this issue,
I contacted Wayne and he informed me that the CVS version doesn't have
this issue (it was already fixed prior to the alert), so there's little
chance of the CVE number being mentioned in the CVS logs...
In other words, absence of the string "4091" doesn't mean the CVS
version is vulnerable.

He also gave a patch for 2.6.9 that was much simpler than the one
published in connection with this alert:

--- rsync-2.6.9/flist.c	2006-10-13 18:17:36.000000000 -0700
+++ flist.c	2007-08-15 14:28:59.000000000 -0700
@@ -735,7 +735,7 @@ struct file_struct *make_file(char *fnam
 		lastdir_len = -1;
 
 	if (strlcpy(thisname, fname, sizeof thisname)
-	    >= sizeof thisname - flist_dir_len) {
+	    >= sizeof thisname - flist_dir_len - 1) {
 		rprintf(FINFO, "skipping overly long name: %s\n", fname);
 		return NULL;
 	}


Paul Slootman


More information about the rsync mailing list