Bug 873740 (CVE-2014-2855) - VUL-0: CVE-2014-2855: rsync: denial of service
Summary: VUL-0: CVE-2014-2855: rsync: denial of service
Status: VERIFIED FIXED
Alias: CVE-2014-2855
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-15 15:04 UTC by Vítězslav Čížek
Modified: 2019-04-26 09:31 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vítězslav Čížek 2014-04-15 15:04:08 UTC 
From http://www.openwall.com/lists/oss-security/2014/04/15/1:

> rsync 3.1.0 contains a denial of service issue

> a remote client can send an invalid username and cause an infinite CPU
> loop on the server child process.
> 
> The server master process is unaffected, allowing the remote client to
> do this multiple times toward system-wide denial of service.

> Wayne Davison 2014-04-13 21:14:04 UTC
> 
> I've committed a fix for this into git for release in 3.1.1.

https://bugzilla.samba.org/show_bug.cgi?id=10551
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1307230
https://git.samba.org/?p=rsync.git;a=commit;h=0dedfbce2c1b851684ba658861fe9d620636c56a

Use CVE-2014-2855.
Comment 1 Vítězslav Čížek 2014-04-16 10:08:14 UTC 
Only 13.1 and Factory affected.
The bug is present only in rsync 3.1.0.
Comment 2 Vítězslav Čížek 2014-04-16 10:19:28 UTC 
Packages submitted. Reassigning to security-team.
Comment 3 Bernhard Wiedemann 2014-04-16 11:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (873740) was mentioned in
https://build.opensuse.org/request/show/230311 13.1+12.3 / rsync
Comment 4 Swamp Workflow Management 2014-04-16 22:00:12 UTC 
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2014-04-18 07:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (873740) was mentioned in
https://build.opensuse.org/request/show/230719 Factory / rsync
Comment 6 Swamp Workflow Management 2014-05-02 13:05:48 UTC 
openSUSE-SU-2014:0595-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 873740
CVE References: CVE-2014-2855
Sources used:
openSUSE 13.1 (src):    rsync-3.1.0-21.8.1
Comment 7 Alexander Bergmann 2014-05-02 16:46:29 UTC 
Fixed and released. Closing bug.
Comment 9 Swamp Workflow Management 2019-04-26 09:31:30 UTC 
This is an autogenerated message for OBS integration:
This bug (873740) was mentioned in
https://build.opensuse.org/request/show/698102 15.1 / rsync