* [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548
@ 2017-12-19 11:56 Peter Korsgaard
2017-12-19 20:51 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-12-19 11:56 UTC (permalink / raw
To: buildroot
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
does not check for a trailing '\0' character in an xattr name, which allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) or possibly have unspecified other impact by sending
crafted data to the daemon.
For more details, see:
https://bugzilla.samba.org/show_bug.cgi?id=13112
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...ailing-0-when-receiving-xattr-name-values.patch | 33 ++++++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 package/rsync/0004-Enforce-trailing-0-when-receiving-xattr-name-values.patch
diff --git a/package/rsync/0004-Enforce-trailing-0-when-receiving-xattr-name-values.patch b/package/rsync/0004-Enforce-trailing-0-when-receiving-xattr-name-values.patch
new file mode 100644
index 0000000000..be9040010c
--- /dev/null
+++ b/package/rsync/0004-Enforce-trailing-0-when-receiving-xattr-name-values.patch
@@ -0,0 +1,33 @@
+From 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayned@samba.org>
+Date: Sun, 5 Nov 2017 11:33:15 -0800
+Subject: [PATCH] Enforce trailing \0 when receiving xattr name values. Fixes
+ bug 13112.
+
+Fixes CVE-2017-16548
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+Patch status: upstream commit 47a63d90e7
+
+ xattrs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xattrs.c b/xattrs.c
+index 68305d75..4867e6f5 100644
+--- a/xattrs.c
++++ b/xattrs.c
+@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file)
+ out_of_memory("receive_xattr");
+ name = ptr + dget_len + extra_len;
+ read_buf(f, name, name_len);
++ if (name_len < 1 || name[name_len-1] != '\0') {
++ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
++ exit_cleanup(RERR_FILEIO);
++ }
+ if (dget_len == datum_len)
+ read_buf(f, ptr, dget_len);
+ else {
+--
+2.11.0
+
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548
2017-12-19 11:56 [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548 Peter Korsgaard
@ 2017-12-19 20:51 ` Peter Korsgaard
2017-12-27 22:30 ` Peter Korsgaard
2017-12-31 8:34 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-12-19 20:51 UTC (permalink / raw
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
> does not check for a trailing '\0' character in an xattr name, which allows
> remote attackers to cause a denial of service (heap-based buffer over-read
> and application crash) or possibly have unspecified other impact by sending
> crafted data to the daemon.
> For more details, see:
> https://bugzilla.samba.org/show_bug.cgi?id=13112
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548
2017-12-19 11:56 [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548 Peter Korsgaard
2017-12-19 20:51 ` Peter Korsgaard
@ 2017-12-27 22:30 ` Peter Korsgaard
2017-12-31 8:34 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-12-27 22:30 UTC (permalink / raw
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
> does not check for a trailing '\0' character in an xattr name, which allows
> remote attackers to cause a denial of service (heap-based buffer over-read
> and application crash) or possibly have unspecified other impact by sending
> crafted data to the daemon.
> For more details, see:
> https://bugzilla.samba.org/show_bug.cgi?id=13112
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548
2017-12-19 11:56 [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548 Peter Korsgaard
2017-12-19 20:51 ` Peter Korsgaard
2017-12-27 22:30 ` Peter Korsgaard
@ 2017-12-31 8:34 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-12-31 8:34 UTC (permalink / raw
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
> does not check for a trailing '\0' character in an xattr name, which allows
> remote attackers to cause a denial of service (heap-based buffer over-read
> and application crash) or possibly have unspecified other impact by sending
> crafted data to the daemon.
> For more details, see:
> https://bugzilla.samba.org/show_bug.cgi?id=13112
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-31 8:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-19 11:56 [Buildroot] [PATCH] rsync: add upstream security fix for CVE-2017-16548 Peter Korsgaard
2017-12-19 20:51 ` Peter Korsgaard
2017-12-27 22:30 ` Peter Korsgaard
2017-12-31 8:34 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.