RootSSV:3171Rsync xattr支持整数溢出漏洞
0.072 Low
EPSS
Percentile
93.3%
BUGTRAQ ID: 28726
CVE(CAN) ID: CVE-2008-1720
rsync是一个快速增量文件传输工具,用于在同一主机备份内部的备份。
rsync处理扩展属性数据时存在漏洞,如果rsync启用了扩展属性(xattr)支持的话,则负责处理该属性的代码中的整数溢出漏洞可能导致执行任意指令。
rsync rsync 2.6.9 - 3.0.1
厂商补丁:
Debian
Debian已经为此发布了一个安全公告(DSA-1545-1)以及相应补丁:
DSA-1545-1:New rsync packages fix arbitrary code execution
链接:<a href=“http://www.debian.org/security/2008/dsa-1545” target=“_blank”>http://www.debian.org/security/2008/dsa-1545</a>
补丁下载:
Source archives:
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2.dsc” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2.dsc</a>
Size/MD5 checksum: 566 6504d35182ed2141c8d7d2f8152d5fb7
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9.orig.tar.gz” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9.orig.tar.gz</a>
Size/MD5 checksum: 811841 996d8d8831dbca17910094e56dcb5942
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2.diff.gz” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2.diff.gz</a>
Size/MD5 checksum: 51039 2131acc598dbbe26f9b6f04c0a0d3f2b
alpha architecture (DEC Alpha)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_alpha.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_alpha.deb</a>
Size/MD5 checksum: 294664 ea644ca8d37211ccbc1f8173e934d45a
amd64 architecture (AMD x86_64 (AMD64))
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_amd64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_amd64.deb</a>
Size/MD5 checksum: 272046 0d9e9576b24a245265f9a98d15ce3b0b
hppa architecture (HP PA RISC)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_hppa.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_hppa.deb</a>
Size/MD5 checksum: 282552 dd5e17e39eeaa712287d166e3346bd7d
i386 architecture (Intel ia32)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_i386.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_i386.deb</a>
Size/MD5 checksum: 261454 b68ddd05ba2a02f7a5f6bd9cc7807a2e
ia64 architecture (Intel ia64)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_ia64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_ia64.deb</a>
Size/MD5 checksum: 356986 df80d4332478c019d540b07ac16c235f
mips architecture (MIPS (Big Endian))
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_mips.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_mips.deb</a>
Size/MD5 checksum: 286532 21aeda2221c4b31c2f19296b58654222
mipsel architecture (MIPS (Little Endian))
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_mipsel.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_mipsel.deb</a>
Size/MD5 checksum: 287282 0c750c3cf7089ad7e7ea3d9d273df9b9
powerpc architecture (PowerPC)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_powerpc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_powerpc.deb</a>
Size/MD5 checksum: 275184 6d81a7a14422fd5bc7c89bd755320e80
s390 architecture (IBM S/390)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_s390.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_s390.deb</a>
Size/MD5 checksum: 278828 5300915466913e7832a3649ba701d49e
sparc architecture (Sun SPARC/UltraSPARC)
<a href=“http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_sparc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_sparc.deb</a>
Size/MD5 checksum: 264144 885fc97a390e1db66290805c06e35947
补丁安装方法:
- 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
dpkg -i file.deb (file是相应的补丁名)
-
使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
apt-get update
然后,使用下面的命令安装更新软件包:
apt-get upgrade
rsync
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://samba.anu.edu.au/rsync/download.html” target=“_blank”>http://samba.anu.edu.au/rsync/download.html</a>
<a href=“http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff” target=“_blank”>http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff</a>
Related
