rsnapshot copy_symlink() Arbitrary File Ownership Modification

2005-04-09T03:22:58
ID OSVDB:15420
Type osvdb
Reporter OSVDB
Modified 2005-04-09T03:22:58

Description

Vulnerability Description

Rsnapshot contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is due to an error in the "copy_symlink()" function where file permissions for symlinks are incorrectly set on the original file. This flaw may allow an attacker to take ownership of arbitrary files by placing a malicious symlink in a directory being backed up, resulting in a loss of integrity.

Solution Description

Upgrade to version 1.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Rsnapshot contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is due to an error in the "copy_symlink()" function where file permissions for symlinks are incorrectly set on the original file. This flaw may allow an attacker to take ownership of arbitrary files by placing a malicious symlink in a directory being backed up, resulting in a loss of integrity.

References:

Vendor URL: http://www.rsnapshot.org/ Vendor Specific News/Changelog Entry: http://cvs.sourceforge.net/viewcvs.py/rsnapshot/rsnapshot/ChangeLog?view=markup Vendor Specific Advisory URL Security Tracker: 1013674 Secunia Advisory ID:14878 Secunia Advisory ID:14956 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200504-12.xml Mail List Post: http://archives.neohapsis.com/archives/apps/freshmeat/2005-04/0010.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0199.html