I've been wondering about this audit-packages message...

Package rsync-2.6.9 has a remote-user-shell vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091

seems to be around a while. On the rsync list I found a patch.
Can someone aply it?

// George


----- Forwarded message from Paul Slootman <paul+rsync@wurtel.net> -----

Date: Thu, 30 Aug 2007 11:12:08 +0200
From: Paul Slootman <paul+rsync@wurtel.net>
To: rsync@lists.samba.org
Subject: Re: CVE-2007-4091

On Thu 30 Aug 2007, Sven.Hartrumpf@FernUni-Hagen.de wrote:
> Thu, 30 Aug 2007 01:41:01 -0400, danno wrote:

> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091
> > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4091
> 
> SUSE has provided fixed RPMs for SUSE 10.0 - 10.2 some days ago.
> But rsync's cvs sources do not contain the string "4091", yet.

While preparing an update for Debian due to this issue,
I contacted Wayne and he informed me that the CVS version doesn't have
this issue (it was already fixed prior to the alert), so there's little
chance of the CVE number being mentioned in the CVS logs...
In other words, absence of the string "4091" doesn't mean the CVS
version is vulnerable.

He also gave a patch for 2.6.9 that was much simpler than the one
published in connection with this alert:

--- rsync-2.6.9/flist.c	2006-10-13 18:17:36.000000000 -0700
+++ flist.c	2007-08-15 14:28:59.000000000 -0700
@@ -735,7 +735,7 @@ struct file_struct *make_file(char *fnam
 		lastdir_len = -1;
 
 	if (strlcpy(thisname, fname, sizeof thisname)
-	    >= sizeof thisname - flist_dir_len) {
+	    >= sizeof thisname - flist_dir_len - 1) {
 		rprintf(FINFO, "skipping overly long name: %s\n", fname);
 		return NULL;
 	}


Paul Slootman
-- 
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


----- End forwarded message -----

-- 
George Georgalis, information system scientist <IXOYE><