samba-bugs at samba.org
2016-Jun-03 11:59 UTC
[Bug 11949] New: A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949
Bug ID: 11949
Summary: A malicious sender can still use symlinks to overwrite
files
Product: rsync
Version: 3.1.2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: core
Assignee: wayned at samba.org
Reporter: vcizek at suse.com
QA Contact: rsync-qa at samba.org
Commit 962f8b90045ab331fc04c9e65f80f1a53e68243b fixed an issue where malicious
servers can utilize a just sent symlink to overwrite arbitrary files
(CVE-2014-9512).
The check was implemented for the inc-recurse algorithm only.
An evil sender can bypass the check and still use the symlink vector by
negotiating protocol < 30.
You might consider fixing this in the non-incremental recursive algorithm as
well.
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-04 18:31 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949
Wayne Davison <wayned at samba.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Wayne Davison <wayned at samba.org> ---
You'll have to be more specific, since the fix was implemented in both
inc-recursive and non-inc-recursive modes (in separate fixes). I tested
--protocol=29 and --no-inc-recursive w/o issue (though the older protocol
isn't
good enough to make the error visible on a "push" (such as a local
copy), since
it doesn't retrieve remote errors like protocol 30 does when the remote side
dies. You can see the error via --msgs2stderr, or just rely on the error's
protocol-incompatibility exit error code.
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-04 19:10 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 --- Comment #2 from Wayne Davison <wayned at samba.org> --- FYI, the other commit is: e12a6c087ca1eecdb8eae5977be239c24f4dd3d9 -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-04 19:19 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949 --- Comment #3 from Vitezslav Cizek <vcizek at suse.com> --- (In reply to Wayne Davison from comment #2) Thanks, I just found the commit too, I completely missed it before. I reproduced this on a patched 3.1.1, not 3.1.2, if I remember it correctly. So this report is likely invalid, I'll verify it on Monday. Thanks for your quick response. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2016-Jun-06 09:01 UTC
[Bug 11949] A malicious sender can still use symlinks to overwrite files
https://bugzilla.samba.org/show_bug.cgi?id=11949
Vitezslav Cizek <vcizek at suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |CLOSED
Resolution|--- |INVALID
--- Comment #4 from Vitezslav Cizek <vcizek at suse.com> ---
(In reply to Wayne Davison from comment #2)
The commit
(https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9)
indeed fixes the issue for the older recursive algorithm.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Seemingly Similar Threads
- [PATCH] rsync-patches/slp.diff: use lp_num_modules instead of the removed lp_numserv
- DO NOT REPLY [Bug 5795] New: error in rsync protocol data stream (code 12) at io.c(632) [sender=3.0.4]
- DO NOT REPLY [Bug 5407] New: hlink.c:480: finish_hard_link: Assertion `flist != ((void *)0)' failed.
- [Bug 11166] New: running with -vvv causes a hang
- [Bug 10372] New: rsync 3.10 error in protocol data stream while rsync 3.0.9 runs through