Gentoo FoundationGLSA-200605-05rsync: Potential integer overflow
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.02 Low
EPSS
Percentile
88.8%
Background
rsync is a server and client utility that provides fast incremental file transfers. It is used to efficiently synchronize files between hosts and is used by emerge to fetch Gentoo’s Portage tree.
Description
An integer overflow was found in the receive_xattr function from the extended attributes patch (xattr.c) for rsync. The vulnerable function is only present when the “acl” USE flag is set.
Impact
A remote attacker with write access to an rsync module could craft malicious extended attributes which would trigger the integer overflow, potentially resulting in the execution of arbitrary code with the rights of the rsync daemon.
Workaround
Do not provide write access to an rsync module to untrusted parties.
Resolution
All rsync users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.8"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | net-misc/rsync | < 2.6.8 | UNKNOWN |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.02 Low
EPSS
Percentile
88.8%