touch-packages team mailing list archive

Thread
Date

[Bug 1531061] Re: Rsync path spoofing attack vulnerability

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1531061@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 Jan 2016 02:25:04 -0000
Reply-to: Bug 1531061 <1531061@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Looks like this is http://people.canonical.com/~ubuntu-
security/cve/2014/CVE-2014-9512.html

** Information type changed from Private Security to Public Security

** Changed in: rsync (Ubuntu)
       Status: New => Confirmed

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9512

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/1531061

Title:
  Rsync path spoofing attack vulnerability

Status in rsync package in Ubuntu:
  Confirmed

Bug description:
  A security fix in rsync 3.1.2 was released, adding extra check to the
  file list to prevent a malicious sender to use unsafe destination path
  for transferred file, such as just-sent symlink.

  Details on the bug from rsync's page (hosted at samba), replication
  information, patch information can be found here:
  https://bugzilla.samba.org/show_bug.cgi?id=10977

  Upstream patch:

  https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b

  Seems like this should be backported to currently supported LTS and
  regular releases as a security update?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1531061/+subscriptions