[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] rsync remote root exploit



On Mon, Jan 28, 2002 at 12:41:57PM -0800, Martin Siegert wrote:
> Topic
> =====
> remote root exploit in rsync
> 
> Problem Description
> ===================
> The rsync program allows users and administrators to synchronize files and
> whole directory structures on different machines. 
> There exist several signedness bugs within the rsync program which allow
> remote attackers to write 0-bytes to almost arbitrary stack-locations,
> therefore being able to control the programflow and obtaining a shell
> remotely.
> 
> Solution
> ========
> upgrade to rsync-2.5.2 or a patched version for your distribution.

Debian 2.2 (potato)
-------------------
The package that Debian released (rsync_2.3.2-1.3_i386.deb) contains
bugs that break rsync. Upgrade to rsync_2.3.2-1.5_i386.deb instead.

Mandrake 7.1
------------
rpm -Fvh rsync-2.4.6-3.2mdk.i586.rpm

Mandrake 7.2, 8.x
-----------------
rpm -Fvh rsync-2.4.6-3.1mdk.i586.rpm