[Bug 7936] Incremental file-list corruption due to temporary file_extra_cnt increments (CVE-2011-1097)

samba-bugs at samba.org samba-bugs at samba.org
Thu Mar 31 19:39:09 MDT 2011


Matt McCutchen <matt at mattmccutchen.net> changed:

           What    |Removed                     |Added
            Summary|Random false checksum       |Incremental file-list
                   |mismatches                  |corruption due to temporary
                   |                            |file_extra_cnt increments
                   |                            |(CVE-2011-1097)

--- Comment #5 from Matt McCutchen <matt at mattmccutchen.net> 2011-04-01 01:39:08 UTC ---
The underlying bug here has potential security ramifications, so I was holding
off on adding the full story until rsync 3.0.8 was released with the fix. 
Briefly: if --recursive, --delete, and --hard-links are on and --owner is off,
a malicious sender can cause the receiver's hard-link data structures to become
corrupted so as to break memory safety.  I've demonstrated that this can lead
to heap corruption; arbitrary code execution has been neither confirmed nor
ruled out.  (Some sites are claiming arbitrary code execution is known to be
possible; that is incorrect, unless they know something I don't.)

You can read more at https://bugzilla.redhat.com/show_bug.cgi?id=675036.  See
also the CVE entry at

Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the rsync mailing list