ALT-PU-2018-1219-1
Closed vulnerabilities
BDU:2018-01509
Уязвимость функции parse_arguments сервера rsyncd утилиты Rsync, позволяющая пользователю нарушить целостность данных
BDU:2019-04731
Уязвимость функций recv_files и read_ndx_and_attrs демона rsync, позволяющая нарушителю обойти существующие ограничения доступа и оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
BDU:2021-01395
Уязвимость функции receive_xattr в xattrs.c утилиты для передачи и синхронизации файлов Rsync, связанная с чтением за допустимыми границами буфера данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2021-01448
Уязвимость функции recv_files в receiver.c утилиты для передачи и синхронизации файлов Rsync, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2017-15994
rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=9a480deec4d20277d8e20bc55515ef0640ca1e55
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=9a480deec4d20277d8e20bc55515ef0640ca1e55
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=c252546ceeb0925eb8a4061315e3ff0a8c55b48b
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=c252546ceeb0925eb8a4061315e3ff0a8c55b48b
Modified: 2024-11-21
CVE-2017-16548
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
- https://bugzilla.samba.org/show_bug.cgi?id=13112
- https://bugzilla.samba.org/show_bug.cgi?id=13112
- https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
- https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
- [debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update
- [debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update
- USN-3543-1
- USN-3543-1
- USN-3543-2
- USN-3543-2
- DSA-4068
- DSA-4068
Modified: 2024-11-21
CVE-2017-17433
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
- https://bugzilla.redhat.com/show_bug.cgi?id=1522874#c4
- http://security.cucumberlinux.com/security/details.php?id=169
- http://security.cucumberlinux.com/security/details.php?id=169
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
- [debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update
- [debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update
- DSA-4068
- DSA-4068
Modified: 2024-11-21
CVE-2017-17434
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
- http://security.cucumberlinux.com/security/details.php?id=170
- http://security.cucumberlinux.com/security/details.php?id=170
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=5509597decdbd7b91994210f700329d8a35e70a1
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=5509597decdbd7b91994210f700329d8a35e70a1
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
- [debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update
- [debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update
- DSA-4068
- DSA-4068
Modified: 2024-11-21
CVE-2018-5764
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
- 102803
- 102803
- 1040276
- 1040276
- https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
- https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
- https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=7706303828fcde524222babb2833864a4bd09e07
- https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=7706303828fcde524222babb2833864a4bd09e07
- [debian-lts-announce] 20180119 [SECURITY] [DLA 1247-1] rsync security update
- [debian-lts-announce] 20180119 [SECURITY] [DLA 1247-1] rsync security update
- [debian-lts-announce] 20190324 [SECURITY] [DLA 1725-1] rsync security update
- [debian-lts-announce] 20190324 [SECURITY] [DLA 1725-1] rsync security update
- [debian-lts-announce] 20211130 [SECURITY] [DLA 2833-1] rsync security update
- [debian-lts-announce] 20211130 [SECURITY] [DLA 2833-1] rsync security update
- GLSA-201805-04
- GLSA-201805-04
- USN-3543-1
- USN-3543-1