Integer overflow vulnerability in rsync

2003-12-09T00:00:00
ID VU:325603
Type cert
Reporter CERT
Modified 2006-05-01T19:33:00

Description

Overview

Some versions of the rsync program contain a remotely exploitable vulnerability. This vulnerability may allow an attacker to execute arbitrary code on the target system.

Description

rsync is an open source utility that provides fast incremental file transfer. It features the ability to operate as either a client or server when transferring data over a network.

An integer overflow error has been discovered in a portion of rsync's memory handling routines. An attacker sending an extremely large, specifically crafted file may be able to exploit this error to execute arbitrary code from the heap of the rsync process address space. This error results in a vulnerability primarily when the rsync program is used in server mode, accepting input from remote clients over the network.

Versions of the rsync software 2.5.6 and earlier contain this flaw. Note: We have received reports of this vulnerability being used to successfully compromise systems.


Impact

An attacker may be able to execute arbitrary code in the context of the user running the rsync server, often root.


Solution

Apply patches

rsync version 2.5.7 has been released and contains patches to address this vulnerability.

Users using packaged versions of the rsync software are encouraged to review the vendor information in the Systems Affected section of this document for more details. Users compiling the rsync software from the distribution source code can obtain the patched version from the rsync homepage.


Workarounds

Administrators, particularly those who are unable to apply the patches in a timely fashion, are encouraged to consider implementing the following workarounds:

* Disable the rsync service on systems that do not require it to be running.
* Filter access to the rsync service. The rsync service normally runs on port `873/tcp`. Limiting access to this port from trusted clients may reduce exposure to this vulnerability.

Vendor Information

325603

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Updated: January 21, 2004

Status

Affected

Vendor Statement

The following is Apple's response for the Jaguar (MacOS X 10.2.x) product:

APPLE-SA-2003-12-19_Jaguar.asc

The following is Apple's response for the Panther (MacOS X 10.3.x) product:

APPLE-SA-2003-12-19_Panther.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Linux __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- Debian Security Advisory DSA 404-1 security@debian.org <http://www.debian.org/security/> Martin Schulze December 4th, 2003 <http://www.debian.org/security/faq> - --------------------------------------------------------------------------

Package : rsync Vulnerability : heap overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2003-0962

The rsync team has received evidence that a vulnerability in all versions of rsync prior to 2.5.7, a fast remote file copy program, was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server.

While this heap overflow vulnerability could not be used by itself to obtain root access on an rsync server, it could be used in combination with the recently announced do_brk() vulnerability in the Linux kernel to produce a full remote compromise.

Please note that this vulnerability only affects the use of rsync as an "rsync server". To see if you are running a rsync server you should use the command "netstat -a -n" to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running an rsync server.

For the stable distribution (woody) this problem has been fixed in version 2.5.5-0.2.

For the unstable distribution (sid) this problem has been fixed in version 2.5.6-1.1.

However, since the Debian infrastructure is not yet fully functional after the recent break-in, packages for the unstable distribution are not able to enter the archive for a while. Hence they were placed in my home directory on the security machine:

<<http://klecker.debian.org/~joey/rsync/>>

We recommend that you upgrade your rsync package immediately if you are providing remote sync services. If you are running testing and provide remote sync services please use the packages for woody.

Upgrade Instructions - --------------------

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody - --------------------------------

Source archives:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2.dsc> Size/MD5 checksum: 545 466c30b8dac303dc23a4e33bb64710ca <http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2.diff.gz> Size/MD5 checksum: 91526 a81021e1b1b60ae99e3fc95262ca96d6 <http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5.orig.tar.gz> Size/MD5 checksum: 415156 39d76c62684750842d3884a77c2e5466

Alpha architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_alpha.deb> Size/MD5 checksum: 227344 b885337ced8ec3c902b4ef43d560cff5

ARM architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_arm.deb> Size/MD5 checksum: 206240 4e39539b438128912b4d0f4971134eb4

Intel IA-32 architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_i386.deb> Size/MD5 checksum: 199034 50f61c7b8a009767093e36ba68790a7b

Intel IA-64 architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_ia64.deb> Size/MD5 checksum: 255378 886348cd33646fc167da6b1a9cbdc165

HP Precision architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_hppa.deb> Size/MD5 checksum: 213962 6057690f85e14d01072ab6a84ad52996

Motorola 680x0 architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_m68k.deb> Size/MD5 checksum: 189620 d3c784bb621d2c7a66a2bd3fa418fad8

Big endian MIPS architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_mips.deb> Size/MD5 checksum: 216122 f22358818b785d4bdb43cc56e0140f0a

Little endian MIPS architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_mipsel.deb> Size/MD5 checksum: 216420 1e40db535e7b1d8340d65f101b2bb60a

PowerPC architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_powerpc.deb> Size/MD5 checksum: 205436 d4bc1decf806f2102f434875ab4aa66e

Sun Sparc architecture:

<http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.2_sparc.deb> Size/MD5 checksum: 205234 510bca72eacacf257b170da8c66b2255

These files will probably be moved into the stable distribution on its next revision.

- --------------------------------------------------------------------------------- For apt-get: deb &lt;http://security.debian.org/&gt; stable/updates main For dpkg-ftp: &lt;ftp://security.debian.org/debian-security&gt; dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info:apt-cache show <pkg>' and <http://packages.debian.org/><pkg>`

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/z1w+W5ql+IAeqTIRAjA1AKC2+FkwWYUldK/vIazUi5wQkUYUaQCgl0S2 cKh+9lGwpAOPnSfTWxs9QgM= =EV6V -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc. __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

rsync is included as a third-party "port" in the FreeBSD system. A fix was committed to the FreeBSD ports collection CVS repository on 2003-12-04. FreeBSD users who have installed the rsync port are encouraged to update their ports tree and reinstall with the patched version.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux __ Affected

Updated: August 02, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo Linux Security Team has released GLSA-200312-03 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc. __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

+------------------------------------------------------------------------+ | Guardian Digital Security Advisory December 04, 2003 | | &lt;http://www.guardiandigital.com&gt; ESA-20031204-032 | | | | Package: rsync | | Summary: heap overflow vulnerability | +------------------------------------------------------------------------+

EnGarde Secure Linux is an enterprise class Linux platform engineered to enable corporations to quickly and cost-effectively build a complete and secure Internet presence while preventing Internet threats.

`OVERVIEW


A heap overflow vulnerability has been discovered in all versions of
rsync prior to 2.5.7. This vulnerability, exploitable when rsync is
being run in "server mode", may allow the attacker to run arbitrary
code on the compromised server.`

Guardian Digital has backported these fixes to version 2.4.6.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue.

Guardian Digital products affected by this issue include:

EnGarde Secure Community v1.0.1 EnGarde Secure Community v2 EnGarde Secure Professional v1.1 EnGarde Secure Professional v1.2 EnGarde Secure Professional v1.5

It is recommended that all users apply this update as soon as possible.

`SOLUTION


Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool.`

To modify your GDSN account and contact preferences, please go to:

&lt;https://www.guardiandigital.com/account/&gt;

Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages:

SRPMS/rsync-2.4.6-1.0.7.src.rpm MD5 Sum: 0059b139dce38f237019ae64a5dfbd84

i386/rsync-2.4.6-1.0.7.i386.rpm MD5 Sum: 3d6cba56a9ccf244f7078cdfc1704b5d

i686/rsync-2.4.6-1.0.7.i686.rpm MD5 Sum: 68392cd5df92513f75107c037e7c6a29

`REFERENCES


Guardian Digital's public key:
<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY>`

rsync's Official Web Site: &lt;http://rsync.samba.org&gt;

Guardian Digital Advisories: &lt;http://infocenter.guardiandigital.com/advisories/&gt;

Security Contact: security@guardiandigital.com

- -------------------------------------------------------------------------- Author: Ryan W. Maple &lt;ryan@guardiandigital.com&gt; Copyright 2003, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/z4wBHD5cqd57fu0RAtoCAKCOn4ObAhwgBnVw/iFSd+Gne8kliACeMrtV Y2hQtIKhRq9ZZspp/BpPoDc= =TrBp -----END PGP SIGNATURE----- ------------------------------------------------------------------------ To unsubscribe email engarde-security-request@engardelinux.org with "unsubscribe" in the subject of the message.

Copyright(c) 2003 Guardian Digital, Inc. GuardianDigital.com ------------------------------------------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix __ Affected

Updated: August 02, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Immunix Security Team has published Immunix Secured OS Security Advisory IMNX-2003-73-001-01in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - --------------------------------------------------------------------------

PACKAGE : rsync SUMMARY : Fix for remote vulnerability DATE : 2003-12-04 18:46:00 ID : CLA-2003:794 RELEVANT RELEASES : 8, 9

- -------------------------------------------------------------------------

`DESCRIPTION
"rsync"[1] is a program used mainly to mirror files between remote
sites.

rsync versions prior to 2.5.7 have a heap buffer overflow
vulnerability[2] which can be exploited by remote attackers to
execute arbitrary code.

This vulnerability specially affects installations where rsync is
used as a server/daemon, that is, where it was started with the
--daemon command line argument.

A new rsync version, 2.5.7, was released by the authors to address
this vulnerability.`

`SOLUTION
It is recommended that all rsync users upgrade their packages.

IMPORTANT: after the update, the rsync server must be restarted
manually if it was already running.

REFERENCES
1. <http://rsync.samba.org/>
2. <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962>`

UPDATED PACKAGES &lt;ftp://atualizacoes.conectiva.com.br/8/SRPMS/rsync-2.5.7-5U80_1cl.src.rpm&gt; &lt;ftp://atualizacoes.conectiva.com.br/8/RPMS/rsync-2.5.7-5U80_1cl.i386.rpm&gt; &lt;ftp://atualizacoes.conectiva.com.br/9/SRPMS/rsync-2.5.7-13508U90_1cl.src.rpm&gt; &lt;ftp://atualizacoes.conectiva.com.br/9/RPMS/rsync-2.5.7-13508U90_1cl.i386.rpm&gt;

ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades:

- run: apt-get update - after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples can be found at &lt;http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en&gt;

- ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at &lt;http://distro.conectiva.com.br/seguranca/chave/?idioma=en&gt; Instructions on how to check the signatures of the RPM packages can be found at &lt;http://distro.conectiva.com.br/seguranca/politica/?idioma=en&gt;

- ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at &lt;http://distro.conectiva.com.br/atualizacoes/?idioma=en&gt;

- ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. &lt;http://www.conectiva.com&gt;

- ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see &lt;http://www.gnupg.org&gt;

iD8DBQE/z50v42jd0JmAcZARAi28AKC87tMeZ78lZDrz7r2VQ37VLcE3FQCg0639 36tHDoREvYy7zxf45fVsP0U= =rxDT -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

A heap overflow exists in rsync versions 2.5.6 and below that can be used by an attacker to run arbitrary code. The bug only affects rsync in server (daemon) mode and occurs *after* rsync has dropped privileges. By default, server will chroot(2) to the root of the file tree being served which significantly mitigates the impact of the bug. Installations that disable this behavior by placing "use chroot = no" in rsyncd.conf are vulnerable to attack.

Sites that do run rsync in server mode should update their rsync package as soon as possible. The rsync port has been updated in the 3.3 and 3.4 -stable branches and a new binary package has been built for OpenBSD 3.4/i386. It can be downloaded from:
&lt;ftp://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/rsync-2.5.7.tgz&gt;``
For more information on the bug, see:
&lt;http://rsync.samba.org/&gt;``
For more information on packages errata, see:
&lt;http://www.openbsd.org/pkg-stable.html&gt;``

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG __ Affected

Updated: August 02, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The OpenPKG Security Team has released OpenPKG-SA-2003.051 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO __ Affected

Updated: August 02, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SCO Group has released SCO Security Advisory CSSA-2004-010.0 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI __ Affected

Updated: January 21, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________ SGI Security Advisory

Title : SGI Advanced Linux Environment security update #6 Number : 20031202-01-U Date : December 10, 2003 Reference : Red Hat Advisory RHSA-2003:399-06, CAN-2003-0962 Fixed in : Patch 10037 for SGI ProPack v2.3 ______________________________________________________________________________

SGI provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. SGI recommends that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall SGI be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________

- -------------- - --- Update --- - --------------

SGI has released Patch 10037: SGI Advanced Linux Environment security update #6, which includes updated RPMs for SGI ProPack v2.3 for the Altix family of systems, in response to the following erratas released by Red Hat:

New rsync packages fix remote security vulnerability &lt;http://rhn.redhat.com/errata/RHSA-2003-399.html&gt;

Patch 10037 is available from &lt;http://support.sgi.com/&gt; and &lt;ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/&gt;

The individual RPMs from Patch 10037 are available from: &lt;ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS&gt; &lt;ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS&gt;

- ------------- - --- Links --- - -------------

SGI Security Advisories can be found at: &lt;http://www.sgi.com/support/security/&gt; and &lt;ftp://patches.sgi.com/support/free/security/advisories/&gt;

Red Hat Errata: Security Alerts, Bugfixes, and Enhancements &lt;http://www.redhat.com/apps/support/errata/&gt;

SGI Advanced Linux Environment security updates can found on: &lt;ftp://oss.sgi.com/projects/sgi_propack/download/&gt;

SGI patches can be found at the following patch servers: &lt;http://support.sgi.com/&gt;

The primary SGI anonymous FTP site for security advisories and security patches is &lt;ftp://patches.sgi.com/support/free/security/&gt;

- ----------------------------------------- - --- SGI Security Information/Contacts --- - -----------------------------------------

If there are questions about this document, email can be sent to security-info@sgi.com.

------oOo------

SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com. Security advisories and patches are located under the URL &lt;ftp://patches.sgi.com/support/free/security/&gt;

The SGI Security Headquarters Web page is accessible at the URL: &lt;http://www.sgi.com/support/security/&gt;

For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com.

For assistance obtaining or working with security patches, please contact your SGI support provider.

------oOo------

SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (&lt;http://www.sgi.com/support/security/wiretap.html&gt;) or by sending email to SGI as outlined below.

% mail wiretap-request@sgi.com subscribe wiretap &lt; YourEmailAddress such as midwatch@sgi.com &gt; end ^d

In the example above, &lt;YourEmailAddress&gt; is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message.

------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is located at &lt;http://www.sgi.com/support/security/&gt; .

------oOo------

If there are general security questions on SGI systems, email can be sent to security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report.

______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature.

-----BEGIN PGP SIGNATURE----- Version: 2.6.2

iQCVAwUBP9dSdLQ4cFApAP75AQEpvwP/VUYN6tEWVK47JO90wYp/eGobWry029x4 brCSObwxcogBJhmUlc/ertL6UDAVoE99cC9Q6xqcSROw+SqAQvOs0ak0vyxEJLqR SY/Qlzh0RqWtw+dnCfrHd+NNlMbhg1wol9iYGFcYfvs9zq/9g7DGghZY6limDQTr JEGOtCeFyGA= =VZhA -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SUSE Security Announcement

Package: rsync Announcement-ID: SuSE-SA:2003:050 Date: Thursday, Dec 4th 2003 14:30 MET Affected products: 7.3, 8.0, 8.1, 8.2, 9.0 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10): 4 SUSE default package: no Cross References: CAN-2003-0962

Content of this advisory: 1) security vulnerability resolved: heap overflow problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - discontinue of SuSE Linux 7.3 - KDE - mc - apache - screen - mod_gzip - unace 3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

The rsync suite provides client and server tools to easily support an administrator keeping the files of different machines in sync. In most private networks the rsync client tool is used via SSH to fulfill his tasks. In an open environment rsync is run in server mode accepting connections from many untrusted hosts with, but mostly without, authentication. The rsync server drops its root privileges soon after it was started and per default creates a chroot environment. Due to insufficient integer/bounds checking in the server code a heap overflow can be triggered remotely to execute arbitrary code. This code does not get executed as root and access is limited to the chroot environment. The chroot environment maybe broken afterwards by abusing further holes in system software or holes in the chroot setup.

Your are not vulnerable as long as you do not use rsync in server mode or you use authentication to access the rsync server.

As a temporary workaround you can disable access to your rsync server for untrusted parties, enable authentication or switch back to rsync via SSH.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

Intel i386 Platform:

SuSE-9.0: &lt;ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/rsync-2.5.6-193.i586.rpm&gt; e848708286572c8a793819e5a358274a patch rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/rsync-2.5.6-193.i586.patch.rpm&gt; d70f7726a2c8850a8c085bdbe9afbf27 source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/rsync-2.5.6-193.src.rpm&gt; 45e14417a64704fcee1dfea390a5b3f6

SuSE-8.2: &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/rsync-2.5.6-193.i586.rpm&gt; 341d1da31000831d994e48d0714b576d patch rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/rsync-2.5.6-193.i586.patch.rpm&gt; d94f1a84fc07e92dfc87471f909314c9 source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/rsync-2.5.6-193.src.rpm&gt; 16b19cc2331ff577f2d1f9e116e74625

SuSE-8.1: &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/rsync-2.5.5-258.i586.rpm&gt; 28799a5950666eb7f104e2831575fb3c patch rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/rsync-2.5.5-258.i586.patch.rpm&gt; 02557d2de1dc27ffd97845ebabb336b6 source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/rsync-2.5.5-258.src.rpm&gt; 6a7cd73509acf3cca12d9a4f4b3aec98

SuSE-8.0: &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/rsync-2.4.6-499.i386.rpm&gt; cf9fde4bcf1f3af3e3c5ae6bf5ceba85 patch rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/rsync-2.4.6-499.i386.patch.rpm&gt; 0a61425e9bb345fe73e42926408257cb source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/rsync-2.4.6-499.src.rpm&gt; d5c29841ff1f387cb003c359eee868df

SuSE-7.3: &lt;ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/rsync-2.4.6-499.i386.rpm&gt; 67b2400ee15d739e75a1463db7d003ca source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/rsync-2.4.6-499.src.rpm&gt; ececccdf316a4d98c66315fc560eb9b1

Sparc Platform:

SuSE-7.3: &lt;ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/rsync-2.4.6-190.sparc.rpm&gt; bd408eb2cfe82206439c78a1fbaecf60 source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/rsync-2.4.6-190.src.rpm&gt; e500422c7cf0dc39c6bb3cf2445d9998

SuSE-7.3: &lt;ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/rsync-2.4.6-309.ppc.rpm&gt; 7eebb018bce237a4f351f5e00761ead1 source rpm(s): &lt;ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/rsync-2.4.6-309.src.rpm&gt; 2dd16900d70cbf06454dcd52b822a0ae

______________________________________________________________________________

2) Pending vulnerabilities in SUSE Distributions and Workarounds:

- discontinue of SuSE Linux 7.3 Two years after the release, SUSE will discontinue providing updates and security fixes for the SuSE Linux 7.3 consumer product on the Intel i386 and the PPC Power PC architectures. Vulnerabilities found after December 15th 2003 will not be fixed any more for SuSE Linux 7.3. Directory structures referring to the SuSE Linux 7.3 release will be moved to the discontinued/ tree on our main ftp server ftp.suse.com the distribution directories first, followed by the update/ directory tree in January 2004. Please note that our SuSE Linux Enterprise Server family products have a much longer support period. These products are not concerned by this announcement.

- KDE New KDE packages are currently being tested. These packages fixes several vulnerabilities: + remote root compromise (CAN-2003-0690) + weak cookies (CAN-2003-0692) + SSL man-in-the-middle attack + information leak through HTML-referrer (CAN-2003-0459) + wrong file permissions of config files The packages will be release as soon as testing is finished.

- mc By using a special combination of links in archive-files it is possible to execute arbitrary commands while mc tries to open it in its VFS. The packages are currently tested and will be release as soon as possible.

- apache1/2 The widely used HTTP server apache has several security vulnerabilities: - locally exploitable buffer overflow in the regular expression code. The attacker must be able to modify .htaccess or httpd.conf. (affects: mod_alias and mod_rewrite) - under some circumstances mod_cgid will output its data to the wrong client (affects: apache2) Update packages are available on our FTP servers.

- freeradius Two vulnerabilities were found in the FreeRADIUS package. The remote denial-of-service attack bug was fixed and new packages will be released as soon as testing was successfully finished. The other bug is a remote buffer overflow in the module rlm_smb. We do not ship this module and will fix it for future releases.

- screen A buffer overflow in screen was reported. Since SuSE Linux 8.0 we do not ship screen with the s-bit anymore. An update package will be released for 7.3 as soon as possible.

- mod_gzip The apache module mod_gzip is vulnerable to remote code execution while running in debug-mode. We do not ship this module in debug-mode but future versions will include the fix. Additionally the mod_gzip code was audited to fix more possible security related bugs.

` - unace
The tool unace for handling the archive format ACE is vulnerable to
a buffer overflow that can be triggered with long file-names as command
line argument. This only affects unace version 2.5. Unfortunately this
tool is provided closed source only from the author. Therefore we are
unable to check for other bugs or look at the patch.
Update packages are available from our FTP servers.

____________`

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package.

1) execute the command md5sum &lt;name-of-the-file.rpm&gt; after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig &lt;file.rpm&gt; to verify the signature of the package, where &lt;file.rpm&gt; is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg &lt; announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at &lt;ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de&gt; .

- SUSE runs two security mailing lists to which any interested party may subscribe:

suse-security@suse.com - general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to &lt;suse-security-subscribe@suse.com&gt;.

suse-security-announce@suse.com - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to &lt;suse-security-announce-subscribe@suse.com&gt;.

For general information or the frequently asked questions (faq) send mail to: &lt;suse-security-info@suse.com&gt; or &lt;suse-security-faq@suse.com&gt; respectively.

===================================================================== SUSE's security contact is &lt;security@suse.com&gt; or &lt;security@suse.de&gt;. The &lt;security@suse.de&gt; public key is listed below. ===================================================================== ______________________________________________________________________________

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team &lt;security@suse.de&gt; pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key &lt;build@suse.de&gt;

- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see &lt;http://www.gnupg.org&gt;

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBP89p3ney5gA9JdPZAQEHywf7BVUbgRFR++QVCq2qt8930XR1OH0XbLkf oUhKnhyC025asQHEe0mF9PYFXIz5s+vFwYWVP68qheAvmQic2HH4qotv29wdSIP7 EXb8ilGcdDGnaZLaFk6473O1TV2vT/JMYB3RGYnnsDV+PXCDrzc5vL29IUjlpaFA IC+B1Y5nhMCpIRQ5NBnWBx+u00QPS44mXLZmHHtaj+60rSuIjv2n63sNg1jhXczL lja5Y3hNOLzuLJyPv62n4LffGCPdXk9deMyxOfkl8RBfu+Q0PEJmKD18PQOyPRjE 1hdMdBgwEz8BAbgr5YaNllKn1a09KV7TzlB+KbY02M8XTGnGd+MFUw== =mvKr -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

[slackware-security] rsync security update (SSA:2003-337-01)

Rsync is a file transfer client and server.

A security problem which may lead to unauthorized machine access or code execution has been fixed by upgrading to rsync-2.5.7. This problem only affects machines running rsync in daemon mode, and is easier to exploit if the non-default option "use chroot = no" is used in the /etc/rsyncd.conf config file.

Any sites running an rsync server should upgrade immediately.

For complete information, see the rsync home page:

&lt;http://rsync.samba.org&gt;

Here are the details from the Slackware 9.1 ChangeLog: +--------------------------+ Wed Dec 3 22:18:35 PST 2003 patches/packages/rsync-2.5.7-i486-1.tgz: Upgraded to rsync-2.5.7. From the rsync-2.5.7-NEWS file: SECURITY: * Fix buffer handling bugs. (Andrew Tridgell, Martin Pool, Paul Russell, Andrea Barisani) The vulnerability affects sites running rsync in daemon mode (rsync servers). These sites should be upgraded immediately. (* Security fix *) +--------------------------+

WHERE TO FIND THE NEW PACKAGE: +-----------------------------+

Updated package for Slackware 8.1: &lt;ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.5.7-i386-1.tgz&gt;

Updated package for Slackware 9.0: &lt;ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.5.7-i386-1.tgz&gt;

Updated package for Slackware 9.1: &lt;ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.5.7-i486-1.tgz&gt;

Updated package for Slackware -current: &lt;ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.5.7-i486-1.tgz&gt;

MD5 SIGNATURES: +-------------+

Slackware 8.1 package: 9adcdfaeca3022204bc1bef1d97802cf rsync-2.5.7-i386-1.tgz

Slackware 9.0 package: 12788c9af15174c683ada4c5e5746372 rsync-2.5.7-i386-1.tgz

Slackware 9.1 package: 38d40a65d526f92c41ff72afae74e546 rsync-2.5.7-i486-1.tgz

Slackware -current package: 3f68fa78c6d095da4269e27806596d48 rsync-2.5.7-i486-1.tgz

INSTALLATION INSTRUCTIONS: +------------------------+

If you're running rsync as a daemon, kill it:

# killall rsync

Then, upgrade the package:

# upgradepkg rsync-2.5.7-i486-1.tgz

Finally, restart the rsync daemon:

# rsync --daemon

+-----+

Slackware Linux Security Team &lt;http://slackware.com/gpg-key&gt; security@slackware.com

+------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/zuYUakRjwEAQIjMRAv8BAJ4mBp2BLFrk2Uw6qYbQyzZGWxDAhQCeK717 XvGEot5Waqq4pwafZ2dw3Lc= =ddu3 -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2003-0048

Package name: rsync Summary: remote code execution Date: 2003-12-04 Affected versions: TSL 1.2, 1.5, 2.0

- -------------------------------------------------------------------------- Package description: Rsync uses a quick and reliable algorithm to very quickly bring remote and host files into sync. Rsync is fast because it just sends the differences in the files over the network (instead of sending the complete files). Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package.

Problem description: All versions of rsync prior to 2.5.7 contains a heap overflow that can be used to exceute arbitary code from remote. The Common Vulnerabilites and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue.

Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system.

Location: All TSL updates are available from &lt;URI:&lt;http://http.trustix.org/pub/trustix/updates/&gt;&gt; &lt;URI:&lt;ftp://ftp.trustix.org/pub/trustix/updates/&gt;&gt;

About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater.

Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'.

Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at &lt;URI:&lt;http://tsldev.trustix.org/cloud/&gt;&gt;

` You may also use swup for public testing of updates:

site {
class = 0
location = "<http://tsldev.trustix.org/cloud/rdfs/latest.rdf>"
regexp = ".*"
}
`

Questions? Check out our mailing lists: &lt;URI:&lt;http://www.trustix.org/support/&gt;&gt;

Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: &lt;URI:&lt;http://www.trustix.org/TSL-SIGN-KEY&gt;&gt;

The advisory itself is available from the errata pages at &lt;URI:&lt;http://www.trustix.org/errata/trustix-1.2/&gt;&gt;, &lt;URI:&lt;http://www.trustix.org/errata/trustix-1.5/&gt;&gt; and &lt;URI:&lt;http://www.trustix.org/errata/trustix-2.0/&gt;&gt; or directly at &lt;URI:&lt;http://www.trustix.org/errata/misc/2003/TSL-2003-0048-rsync.asc.txt&gt;&gt;

`MD5sums of the packages:


ff92f850103caec5566d3037005be1cc ./1.2/rpms/rsync-2.5.7-1tr.i586.rpm
c96460c2df73f6f28e86676f0087eed7 ./1.2/srpms/rsync-2.5.7-1tr.src.rpm
24f991051c4d7dc7287770a999c91cfe ./1.5/rpms/rsync-2.5.7-1tr.i586.rpm
c96460c2df73f6f28e86676f0087eed7 ./1.5/srpms/rsync-2.5.7-1tr.src.rpm
d74d3a08933b4d22439bc08cf435cec9 ./2.0/rpms/rsync-2.5.7-1tr.i586.rpm
1547e73b44c4ee2df24f28b67a229666 ./2.0/rpms/rsync-server-2.5.7-1tr.i586.rpm
406331367957dd7f9ddfe56dc8177580 ./2.0/srpms/rsync-2.5.7-1tr.src.rpm
- --------------------------------------------------------------------------`

TSL Security Team

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/zwVBi8CEzsK9IksRArM6AKCaystKuJ7umB1LFxzcZGHVMu2VWwCgmJ0L LWHTlBr0+2jA31dQuVUoOIk= =huAV -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux __ Affected

Updated: December 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`This is an announcement only email list for the x86 architecture.

Turbolinux Security Announcement 06/Dec/2003
============================================================`

The following page contains the security information of Turbolinux Inc.

- Turbolinux Security Center &lt;http://www.turbolinux.com/security/&gt;

(1) glibc -&gt; Multiple vulnerabilities in glibc (2) rsync -&gt; Heap overflow

=========================================================== * glibc -&gt; Multiple vulnerabilities in glibc ===========================================================

More information : The glibc package contains the standard C libraries used by applications.

When a user is a member of a large number of groups,the getgrouplist function in glibc allows attackers to cause a denial of service (segmentation fault) and execute arbitrary code.

Impact : This may allow attackers to cause a denial of service or execute arbitrary code.

Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation

` Solution :
Please use turbopkg(zabom) tool to apply the update.


turbopkg

or

zabom update glibc glibc-devel glibc-profile mtrace nscd

---------------------------------------------`

&lt;Turbolinux 8 Server&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/glibc-2.2.5-17.src.rpm&gt; 15681872 c5f6718068cad57d328e9cbb99cfc5c2

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/glibc-2.2.5-17.i586.rpm&gt; 10948308 e978c66d70ed23c1d37f3cf58fa1d7dd &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/glibc-devel-2.2.5-17.i586.rpm&gt; 3087284 027379201c146b8652691fa5fb407fb8 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/glibc-profile-2.2.5-17.i586.rpm&gt; 793319 2b825226d3e4628c4fc5a13d028dc42f &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/mtrace-2.2.5-17.i586.rpm&gt; 26289 3b7e3b3ee9fdad443214abc22ff011a3 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/nscd-2.2.5-17.i586.rpm&gt; 33180 2811c092ec2fed1a278f29d6f5393122

&lt;Turbolinux 8 Workstation&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/glibc-2.2.5-17.src.rpm&gt; 15681872 0ae07774f7aed8ddceda091ad1aa59eb

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/glibc-2.2.5-17.i586.rpm&gt; 10943475 e3ae6e493dae31c06d04de1e5ef24a5b &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/glibc-devel-2.2.5-17.i586.rpm&gt; 3088889 7bdde2a4805a408ec20b5b6c983c20b7 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/glibc-profile-2.2.5-17.i586.rpm&gt; 793449 8eb226d87491ab3d2b22e50a978900be &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/mtrace-2.2.5-17.i586.rpm&gt; 26291 d9d5ee64fff9b612203b7b6629d95022 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/nscd-2.2.5-17.i586.rpm&gt; 33125 5f91d450345639e2f4629005305d401d

&lt;Turbolinux 7 Server&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/glibc-2.2.4-13.src.rpm&gt; 13582169 668c9eb6ddb16b219cbe155edf9a6ca1

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/glibc-2.2.4-13.i586.rpm&gt; 11310068 ebd5c4c08b7e50bafbd79b57801cccdd &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/glibc-devel-2.2.4-13.i586.rpm&gt; 6293426 b0b9308e04c0314f4130617e89f60017 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/glibc-profile-2.2.4-13.i586.rpm&gt; 4125526 818098cc38a84b39204504e36bc79761 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/mtrace-2.2.4-13.i586.rpm&gt; 15377 4de531b6fda1b23c28d91477eb8f4124 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/nscd-2.2.4-13.i586.rpm&gt; 31236 d5fbda6a59e9fc074a3df3ac378907b2

&lt;Turbolinux 7 Workstation&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/glibc-2.2.4-13.src.rpm&gt; 13582169 b0e8e76f424bd3bd2cd2a94dd37d0dcd

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/glibc-2.2.4-13.i586.rpm&gt; 11308991 b5f5f6887dc9a8aaa4e118c6c8ff22e6 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/glibc-devel-2.2.4-13.i586.rpm&gt; 6292725 b4e5f9a07c55ff55845a2aa4dbfd5a7f &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/glibc-profile-2.2.4-13.i586.rpm&gt; 4125536 32c7053ca33d15f10c655b3e1262a769 &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/mtrace-2.2.4-13.i586.rpm&gt; 15385 5d042786c08b9336fe73fe4c7c69367b &lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/nscd-2.2.4-13.i586.rpm&gt; 31243 fae888249da3141a18336aa8a5f6da60

References :

CVE [CAN-2003-0689] &lt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689&gt; [CAN-2003-0859] &lt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0859&gt;

=========================================================== * rsync -&gt; Heap overflow ===========================================================

More information : rsync uses the "rsync algorithm" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in the files across the link, without requiring that both sets of files are present at one of the ends of the link beforehand. Rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can be used to remotely run arbitrary code.

Please note that this vulnerability only affects the use of rsync as a "rsync server".

Impact : This vulnerability may allow remote third party to gain the root privileges.

Affected Products : - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0

` Solution :
Please use turbopkg(zabom) tool to apply the update.


turbopkg

or
zabom-1.x

zabom update rsync

zabom-2.x

zabom -u rsync

---------------------------------------------`

&lt;Turbolinux 10 Desktop&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 499768bcd5851f5dede0a9aaed9f67fd

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/rsync-2.5.7-1.i586.rpm&gt; 142068 fba3ab5d577b7eab1818c3d41e6ce13d

&lt;Turbolinux 8 Server&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 d4c79a6aba4e8a7b17d8940d6b6e1f87

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/rsync-2.5.7-1.i586.rpm&gt; 140316 10b89f1b0c3db89ee56dc9b735b4effa

&lt;Turbolinux 8 Workstation&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 5b521abb17456fadded17f054bd9a5b4

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/rsync-2.5.7-1.i586.rpm&gt; 140308 6c9f1e54680ea18d6c885fb1bfe8d924

&lt;Turbolinux 7 Server&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 da512bcc0862905542870ede94d4518c

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/rsync-2.5.7-1.i586.rpm&gt; 136728 fe9fd94d15842c3e6344811501329205

&lt;Turbolinux 7 Workstation&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 e7e10e4efe32ed6d0308c332b11df197

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/rsync-2.5.7-1.i586.rpm&gt; 136761 10f48e8a8ffa4fe9318f277767ad03ed

&lt;Turbolinux Server 6.5&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 83ded0d90cde0b0a5e1376e468faaa42

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/rsync-2.5.7-1.i386.rpm&gt; 136619 b8186c802c41974daf566bc01fbd9e9b

&lt;Turbolinux Advanced Server 6&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 c0bd7ffb38fff1d788ae7056915acb28

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm&gt; 136611 f6fb180f6652671a6f2627065d2c40cd

&lt;Turbolinux Server 6.1&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 80d975cc6e84edb7da14d8566e4b7fe0

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm&gt; 136599 70d6d5c3e4a227803ea48a2be5af324b

&lt;Turbolinux Workstation 6.0&gt;

Source Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm&gt; 454497 081ea78c2a4f089c452fe0a5094b68fa

Binary Packages Size : MD5

&lt;ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm&gt; 136607 519b6825e9f917487a8c884b5b1a9006

References :

rsync &lt;http://rsync.samba.org/&gt;

CVE [CAN-2003-0962] &lt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962&gt;

* You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information.

&lt;http://www.turbolinux.com/download/zabom.html&gt; &lt;http://www.turbolinux.com/download/zabomupdate.html&gt;

Package Update Path &lt;http://www.turbolinux.com/update&gt;

============================================================ * To obtain the public key

Here is the public key

&lt;http://www.turbolinux.com/security/&gt;

* To unsubscribe from the list

If you ever want to remove yourself from this mailing list, you can send a message to &lt;server-users-e-ctl@turbolinux.co.jp&gt; with the wordunsubscribe' in the body (don't include the quotes).`

unsubscribe

* To change your email address

If you ever want to chage email address in this mailing list, you can send a message to &lt;server-users-e-ctl@turbolinux.co.jp&gt; with the following command in the message body:

chaddr 'old address' 'new address'

If you have any questions or problems, please contact &lt;supp_info@turbolinux.co.jp&gt;

Thank you!

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/0M/DK0LzjOqIJMwRAr7wAJ9uc2XNZGeh6lqS+pKIlIjmjCsLaQCePJvs uZ4pje67NlW5ogxnIjemsmk= =ZogU -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 15 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal | 0 | E:ND/RL:ND/RC:ND
Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <http://www.mail-archive.com/rsync@lists.samba.org/msg08271.html>
  • <http://www.secunia.com/advisories/10353/>
  • <http://www.secunia.com/advisories/10354/>
  • <http://www.secunia.com/advisories/10355/>
  • <http://www.secunia.com/advisories/10356/>
  • <http://www.secunia.com/advisories/10357/>
  • <http://www.secunia.com/advisories/10358/>
  • <http://www.secunia.com/advisories/10359/>
  • <http://www.secunia.com/advisories/10360/>
  • <http://www.secunia.com/advisories/10361/>
  • <http://www.secunia.com/advisories/10362/>
  • <http://www.secunia.com/advisories/10363/>
  • <http://www.secunia.com/advisories/10364/>
  • <http://www.secunia.com/advisories/10378/>
  • <http://www.secunia.com/advisories/10474/>

Acknowledgements

Timo Sirainen originally discovered and reported this vulnerability. The rsync development team credits Mike Warfield, Paul Russell, and Andrea Barisani with providing additional information that led to the development of a fix and advisory.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: | CVE-2003-0962
---|---
Severity Metric: | 29.40
Date Public: | 2003-10-03
Date First Published: | 2003-12-09
Date Last Updated: | 2006-05-01 19:33 UTC
Document Revision: | 29