[Bug 7936] Incremental file-list corruption due to temporary file_extra_cnt increments (CVE-2011-1097)
samba-bugs at samba.org
samba-bugs at samba.org
Thu Mar 31 19:39:09 MDT 2011
https://bugzilla.samba.org/show_bug.cgi?id=7936
Matt McCutchen <matt at mattmccutchen.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Random false checksum |Incremental file-list
|mismatches |corruption due to temporary
| |file_extra_cnt increments
| |(CVE-2011-1097)
--- Comment #5 from Matt McCutchen <matt at mattmccutchen.net> 2011-04-01 01:39:08 UTC ---
The underlying bug here has potential security ramifications, so I was holding
off on adding the full story until rsync 3.0.8 was released with the fix.
Briefly: if --recursive, --delete, and --hard-links are on and --owner is off,
a malicious sender can cause the receiver's hard-link data structures to become
corrupted so as to break memory safety. I've demonstrated that this can lead
to heap corruption; arbitrary code execution has been neither confirmed nor
ruled out. (Some sites are claiming arbitrary code execution is known to be
possible; that is incorrect, unless they know something I don't.)
You can read more at https://bugzilla.redhat.com/show_bug.cgi?id=675036. See
also the CVE entry at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1097.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the rsync
mailing list