rsync xattr Integer Overflow Vulnerability - Security


Editor Login \| Register		Ekle

> World > Security

rsync xattr Integer Overflow Vulnerability - Security - World -

CWRedLight

(Date : 11.04.2008 17:23:43)

rsync xattr Integer Overflow Vulnerability

Secunia Advisory:	SA29668
Release Date:	2008-04-11

Critical:	Moderately critical
Impact:	DoS System access
Where:	From remote
Solution Status:	Vendor Patch

Software:	rsync 2.x rsync 3.x

CVE reference:	CVE-2008-1720 (Secunia mirror)

Description:
A vulnerability has been reported in rsync, which can potentially be exploited by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system.

The vulnerability is caused due to an integer overflow error within the extended attributes (xattr) support and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code, but requires that the extended attributes support is enabled.

The vulnerability is reported in version 2.6.9 through 3.0.1.

NOTE: Version 2.6.9 had to be patched to support extended attributes.

Solution:
Update to version 3.0.2 or apply patch.
http://samba.anu.edu.au/rsync/download.html
http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff

Provided and/or discovered by:
The vendor credits Sebastian Krahmer.

Original Advisory:
http://samba.anu.edu.au/rsync/security.html#s3_0_2
http://www.mail-archive.com/rsync-announce@lists.samba.org/msg00057.html

Derecelendir

Kaynak

http://secunia.com/advisories/29668/

İçerik İhbarı

Bağlantılar: bilgininefendisi.net

Open Source Document Project

AUP&TOS