samba-bugs at samba.org
2016-Jun-03 11:59 UTC
[Bug 11949] New: A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 Bug ID: 11949 Summary: A malicious sender can still use symlinks to overwrite files Product: rsync Version: 3.1.2 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: core Assignee: wayned at samba.org Reporter: vcizek at suse.com QA Contact: rsync-qa at samba.org Commit 962f8b90045ab331fc04c9e65f80f1a53e68243b fixed an issue where malicious servers can utilize a just sent symlink to overwrite arbitrary files (CVE-2014-9512). The check was implemented for the inc-recurse algorithm only. An evil sender can bypass the check and still use the symlink vector by negotiating protocol < 30. You might consider fixing this in the non-incremental recursive algorithm as well. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-04 18:31 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 Wayne Davison <wayned at samba.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #1 from Wayne Davison <wayned at samba.org> --- You'll have to be more specific, since the fix was implemented in both inc-recursive and non-inc-recursive modes (in separate fixes). I tested --protocol=29 and --no-inc-recursive w/o issue (though the older protocol isn't good enough to make the error visible on a "push" (such as a local copy), since it doesn't retrieve remote errors like protocol 30 does when the remote side dies. You can see the error via --msgs2stderr, or just rely on the error's protocol-incompatibility exit error code. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-04 19:10 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 --- Comment #2 from Wayne Davison <wayned at samba.org> --- FYI, the other commit is: e12a6c087ca1eecdb8eae5977be239c24f4dd3d9 -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-04 19:19 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 --- Comment #3 from Vitezslav Cizek <vcizek at suse.com> --- (In reply to Wayne Davison from comment #2) Thanks, I just found the commit too, I completely missed it before. I reproduced this on a patched 3.1.1, not 3.1.2, if I remember it correctly. So this report is likely invalid, I'll verify it on Monday. Thanks for your quick response. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-06 09:01 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 Vitezslav Cizek <vcizek at suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |CLOSED Resolution|--- |INVALID --- Comment #4 from Vitezslav Cizek <vcizek at suse.com> --- (In reply to Wayne Davison from comment #2) The commit (https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9) indeed fixes the issue for the older recursive algorithm. -- You are receiving this mail because: You are the QA Contact for the bug.
Reasonably Related Threads
- [PATCH] rsync-patches/slp.diff: use lp_num_modules instead of the removed lp_numserv
- DO NOT REPLY [Bug 5795] New: error in rsync protocol data stream (code 12) at io.c(632) [sender=3.0.4]
- DO NOT REPLY [Bug 5407] New: hlink.c:480: finish_hard_link: Assertion `flist != ((void *)0)' failed.
- [Bug 11166] New: running with -vvv causes a hang
- [Bug 10372] New: rsync 3.10 error in protocol data stream while rsync 3.0.9 runs through