Hopefully the email to the announce list will show up soon. Until then,
you can get a jump on the rest by checking out the rsync home page to
read the announcement:
http://rsync.samba.org/
It includes a security note about a fix that affects read/write daemons
that are not using chroot. If that includes you, you should look into
upgrading (or maybe enabling chroot on an older rsync).
..wayne..
On Mon 26 Apr 2004, Wayne Davison wrote:> > It includes a security note about a fix that affects read/write daemons > that are not using chroot. If that includes you, you should look into > upgrading (or maybe enabling chroot on an older rsync).Is it possible to find the patches responsible for fixing the chroot thing? The stable version of Debian doesn't accept new versions to fix security risks (because the new version may introduce other as yet unknown security risks). Instead, policy is to patch the stable version with the fix. The cvsweb access from the website seems to be MIA (404). Paul Slootman
On Sun, May 02, 2004 at 01:15:57PM +0200, Paul Slootman wrote:> The patch below should do it. Note that line numbers may be off.You placed the extra sanitize calls in server_options() instead of parse_arguments(). Since the args need to be sanitized on reception, the latter function is the right spot. Attached is a patch generated from 2.5.7. ..wayne.. -------------- next part -------------- --- rsync-2.5.7/options.c 2003-01-27 19:11:57.000000000 -0800 +++ options.c 2004-05-02 09:27:10.000000000 -0700 @@ -21,6 +21,8 @@ #include "rsync.h" #include "popt.h" +extern int sanitize_paths; + int make_backups = 0; /** @@ -615,6 +617,15 @@ int parse_arguments(int *argc, const cha } } + if (sanitize_paths) { + if (tmpdir) + sanitize_path(tmpdir, NULL); + if (compare_dest) + sanitize_path(compare_dest, NULL); + if (backup_dir) + sanitize_path(backup_dir, NULL); + } + if (write_batch && read_batch) { snprintf(err_buf,sizeof(err_buf), "write-batch and read-batch can not be used together\n");