Debian Security Advisory

rsync -- Rare problem with corrupted file permissions

Date Reported:
18 Aug 1999
Affected Packages:
rsync
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-1999-0473.
More information:
The author of rsync, Andrew Tridgell, has reported that former versions of rsync contained a security-related bug. If you were transferring an empty directory into a non-existent directory on a remote host, permissions on the remote host may be mangled. This bug may only happen in very rare cases. It's not likely that you have experienced this, but you'd better check the permissions of your home directories.

Andrew Tridgell's message is available at LWN - rsync (1999) and Stuttgart BUGTRAQ - 1999.

Here are some excerpts from Andrew's message to BUGTRAQ:

... released rsync 2.3.1 to fix [the security hole].

A user can't exploit this hole deliberately to gain privileges (ie. this is not an "active" security hole) but a system administrator could ... inadvertently compromise the security of their system.

The fix is to chmod your home directory back to the correct permissions and upgrade to rsync 2.3.1. The bug is in the receiving side of rsync, so it is quite safe to continue to use older anonymous rsync servers as long as you upgrade your client.

This bug has been present in all versions of rsync. I apologize for any inconvenience.

Fixed in:
Source:
http://security.debian.org/dists/slink/updates/source/rsync_2.3.1-0.slink.1.diff.gz
http://security.debian.org/dists/slink/updates/source/rsync_2.3.1-0.slink.1.dsc
http://security.debian.org/dists/slink/updates/source/rsync_2.3.1.orig.tar.gz
alpha:
http://security.debian.org/dists/slink/updates/binary-alpha/rsync_2.3.1-0.slink.1_alpha.deb
i386:
http://security.debian.org/dists/slink/updates/binary-i386/rsync_2.3.1-0.slink.1_i386.deb
m68k:
http://security.debian.org/dists/slink/updates/binary-m68k/rsync_2.3.1-0.slink.1_m68k.deb
sparc:
http://security.debian.org/dists/slink/updates/binary-sparc/rsync_2.3.1-0.slink.1_sparc.deb