Skip to navigation

Security Advisory Moderate: rsync security, bug fix, and enhancement update

Advisory: RHSA-2011:0999-1
Type: Security Advisory
Severity: Moderate
Issued on: 2011-07-21
Last updated on: 2011-07-21
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2007-6200

Details

An updated rsync package that fixes one security issue, several bugs, and
adds enhancements is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

rsync is a program for synchronizing files over a network.

A flaw was found in the way the rsync daemon handled the "filter",
"exclude", and "exclude from" options, used for hiding files and preventing
access to them from rsync clients. A remote attacker could use this flaw to
bypass those restrictions by using certain command line options and
symbolic links, allowing the attacker to overwrite those files if they knew
their file names and had write access to them. (CVE-2007-6200)

Note: This issue only affected users running rsync as a writable daemon:
"read only" set to "false" in the rsync configuration file (for example,
"/etc/rsyncd.conf"). By default, this option is set to "true".

This update also fixes the following bugs:

* The rsync package has been upgraded to upstream version 3.0.6, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#339971)

* When running an rsync daemon that was receiving files, a deferred info,
error or log message could have been sent directly to the sender instead of
being handled by the "rwrite()" function in the generator. Also, under
certain circumstances, a deferred info or error message from the receiver
could have bypassed the log file and could have been sent only to the
client process. As a result, an "unexpected tag 3" fatal error could have
been displayed. These problems have been fixed in this update so that an
rsync daemon receiving files now works as expected. (BZ#471182)

* Prior to this update, the rsync daemon called a number of timezone-using
functions after doing a chroot. As a result, certain C libraries were
unable to generate proper timestamps from inside a chrooted daemon. This
bug has been fixed in this update so that the rsync daemon now calls the
respective timezone-using functions prior to doing a chroot, and proper
timestamps are now generated as expected. (BZ#575022)

* When running rsync under a non-root user with the "-A" ("--acls") option
and without using the "--numeric-ids" option, if there was an Access
Control List (ACL) that included a group entry for a group that the
respective user was not a member of on the receiving side, the
"acl_set_file()" function returned an invalid argument value ("EINVAL").
This was caused by rsync mistakenly mapping the group name to the Group ID
"GID_NONE" ("-1"), which failed. The bug has been fixed in this update so
that no invalid argument is returned and rsync works as expected.
(BZ#616093)

* When creating a sparse file that was zero blocks long, the "rsync
--sparse" command did not properly truncate the sparse file at the end of
the copy transaction. As a result, the file size was bigger than expected.
This bug has been fixed in this update by properly truncating the file so
that rsync now copies such files as expected. (BZ#530866)

* Under certain circumstances, when using rsync in daemon mode, rsync
generator instances could have entered an infinitive loop, trying to write
an error message for the receiver to an invalid socket. This problem has
been fixed in this update by adding a new sibling message: when the
receiver is reporting a socket-read error, the generator will notice this
fact and avoid writing an error message down the socket, allowing it to
close down gracefully when the pipe from the receiver closes. (BZ#690148)

* Prior to this update, there were missing deallocations found in the
"start_client()" function. This bug has been fixed in this update and no
longer occurs. (BZ#700450)

All users of rsync are advised to upgrade to this updated package, which
resolves these issues and adds enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
rsync-3.0.6-4.el5.src.rpm
File outdated by:  RHBA-2011:1112
    MD5: e098ac69cf6bd7868b7aaa7c59137a54
SHA-256: 92f3c44c25d077f03b3a557347447de43c6ef2fb8e537ca81551771e05c73c90
 
IA-32:
rsync-3.0.6-4.el5.i386.rpm
File outdated by:  RHBA-2011:1112
    MD5: 0e6ad0242333c3c08cf66788372a06d1
SHA-256: dd5fc9621d8fe19fdb434b10cab90956deab55c37ee0c02443f75af549e7b175
 
IA-64:
rsync-3.0.6-4.el5.ia64.rpm
File outdated by:  RHBA-2011:1112
    MD5: 4a319a7b98b0630ce8f2ac8f494da821
SHA-256: 08d58119fd808a54e66fb1747fcd7c86ccfb8a97f8ee3a2c8bb6c0eb7e1ac354
 
PPC:
rsync-3.0.6-4.el5.ppc.rpm
File outdated by:  RHBA-2011:1112
    MD5: de1d122e89dc772b20ad5df219760fb9
SHA-256: ceed63a853f3d28f0e6855a064f14358e9fd735528526424b04eb94a135908a7
 
s390x:
rsync-3.0.6-4.el5.s390x.rpm
File outdated by:  RHBA-2011:1112
    MD5: 914650808776c59b462bc4b3d5bf8d07
SHA-256: f4870b4b66bb56ec050718bbeae27903909fbbcddcb1ee3329cb30b928777d86
 
x86_64:
rsync-3.0.6-4.el5.x86_64.rpm
File outdated by:  RHBA-2011:1112
    MD5: 24577a87fc213e9c6226027da4530874
SHA-256: bc82043835c298f9e557083ebb8457d06be420cded39ee9429ff47c9d42ec5e6
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
rsync-3.0.6-4.el5.src.rpm
File outdated by:  RHBA-2011:1112
    MD5: e098ac69cf6bd7868b7aaa7c59137a54
SHA-256: 92f3c44c25d077f03b3a557347447de43c6ef2fb8e537ca81551771e05c73c90
 
IA-32:
rsync-3.0.6-4.el5.i386.rpm
File outdated by:  RHBA-2011:1112
    MD5: 0e6ad0242333c3c08cf66788372a06d1
SHA-256: dd5fc9621d8fe19fdb434b10cab90956deab55c37ee0c02443f75af549e7b175
 
x86_64:
rsync-3.0.6-4.el5.x86_64.rpm
File outdated by:  RHBA-2011:1112
    MD5: 24577a87fc213e9c6226027da4530874
SHA-256: bc82043835c298f9e557083ebb8457d06be420cded39ee9429ff47c9d42ec5e6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

339971 - [RFE] Rebase rsync packages to version 3
407171 - CVE-2007-6200 rsync excluded content access restrictions bypass via symlinks
471182 - rsync errors: unexpected tag 3 [sender]
530866 - rsync --sparse does not properly copy sparse files
575022 - rsyncd gets confused with timezones when logging to syslog
616093 - EINVAL (Invalid argument) setting group --acls
690148 - Rsync instances stay in memory when using in daemon mode
700450 - Resource leaks revealed by Coverity scan.


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/