Debian Security Advisory
DLA-1725-1 rsync -- LTS security update
- Date Reported:
- 24 Mar 2019
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2018-5764.
- More information:
Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync.
In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard.
Only use post-increment to be compliant with the C standard.
In order to avoid undefined behavior, do not shift negative values, as this is not compliant with the C standard.
In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard.
Prevent remote attackers from being able to bypass the argument-sanitization protection mechanism by ignoring --protect-args when already sent by client.
For Debian 8
Jessie, these problems have been fixed in version 3.1.1-3+deb8u2.
We recommend that you upgrade your rsync packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS