[Bug 11949] New: A malicious sender can still use symlinks to overwrite files

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 11949] New: A malicious sender can still use symlinks to overwrite files

samba-bugs
https://bugzilla.samba.org/show_bug.cgi?id=11949

            Bug ID: 11949
           Summary: A malicious sender can still use symlinks to overwrite
                    files
           Product: rsync
           Version: 3.1.2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

Commit 962f8b90045ab331fc04c9e65f80f1a53e68243b fixed an issue where malicious
servers can utilize a just sent symlink to overwrite arbitrary files
(CVE-2014-9512).
The check was implemented for the inc-recurse algorithm only.
An evil sender can bypass the check and still use the symlink vector by
negotiating protocol < 30.
You might consider fixing this in the non-incremental recursive algorithm as
well.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 11949] A malicious sender can still use symlinks to overwrite files

samba-bugs
https://bugzilla.samba.org/show_bug.cgi?id=11949

Wayne Davison <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Wayne Davison <[hidden email]> ---
You'll have to be more specific, since the fix was implemented in both
inc-recursive and non-inc-recursive modes (in separate fixes). I tested
--protocol=29 and --no-inc-recursive w/o issue (though the older protocol isn't
good enough to make the error visible on a "push" (such as a local copy), since
it doesn't retrieve remote errors like protocol 30 does when the remote side
dies. You can see the error via --msgs2stderr, or just rely on the error's
protocol-incompatibility exit error code.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 11949] A malicious sender can still use symlinks to overwrite files

samba-bugs
In reply to this post by samba-bugs
https://bugzilla.samba.org/show_bug.cgi?id=11949

--- Comment #2 from Wayne Davison <[hidden email]> ---
FYI, the other commit is: e12a6c087ca1eecdb8eae5977be239c24f4dd3d9

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 11949] A malicious sender can still use symlinks to overwrite files

samba-bugs
In reply to this post by samba-bugs
https://bugzilla.samba.org/show_bug.cgi?id=11949

--- Comment #3 from Vitezslav Cizek <[hidden email]> ---
(In reply to Wayne Davison from comment #2)
Thanks, I just found the commit too, I completely missed it before.
I reproduced this on a patched 3.1.1, not 3.1.2, if I remember it correctly.
So this report is likely invalid, I'll verify it on Monday.
Thanks for your quick response.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 11949] A malicious sender can still use symlinks to overwrite files

samba-bugs
In reply to this post by samba-bugs
https://bugzilla.samba.org/show_bug.cgi?id=11949

Vitezslav Cizek <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |CLOSED
         Resolution|---                         |INVALID

--- Comment #4 from Vitezslav Cizek <[hidden email]> ---
(In reply to Wayne Davison from comment #2)
The commit
(https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9)
indeed fixes the issue for the older recursive algorithm.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html