Debian Security Advisory
DSA-106-2 rsync -- remote exploit
- Date Reported:
- 26 Jan 2002
- Affected Packages:
- rsync
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2002-0048.
- More information:
-
Sebastian Krahmer found several places in rsync (a popular tool to synchronise files between machines)
where signed and unsigned numbers
were mixed which resulted in insecure code (see securityfocus.com).
This could be abused by
remote users to write 0-bytes in rsync's memory and trick rsync into
executing arbitrary code.
This has been fixed in version 2.3.2-1.3 and we recommend you upgrade your rsync package immediately.
Unfortunately the patch used to fix that problem broke rsync. This has been fixed in version 2.3.2-1.5 and we recommend you upgrade to that version immediately.
- Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/stable/updates/main/source/rsync_2.3.2-1.5.diff.gz
- http://security.debian.org/dists/stable/updates/main/source/rsync_2.3.2-1.5.dsc
- http://security.debian.org/dists/stable/updates/main/source/rsync_2.3.2.orig.tar.gz
- http://security.debian.org/dists/stable/updates/main/source/rsync_2.3.2-1.5.dsc
- Alpha:
- http://security.debian.org/dists/stable/updates/main/binary-alpha/rsync_2.3.2-1.5_alpha.deb
- ARM:
- http://security.debian.org/dists/stable/updates/main/binary-arm/rsync_2.3.2-1.5_arm.deb
- Intel IA-32:
- http://security.debian.org/dists/stable/updates/main/binary-i386/rsync_2.3.2-1.5_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/stable/updates/main/binary-m68k/rsync_2.3.2-1.5_m68k.deb
- PowerPC:
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/rsync_2.3.2-1.5_powerpc.deb
- Sun Sparc:
- http://security.debian.org/dists/stable/updates/main/binary-sparc/rsync_2.3.2-1.5_sparc.deb
MD5 checksums of the listed files are available in the original advisory. (DSA-106-2)