Bugzilla – Bug 915410
VUL-0: CVE-2014-9512: rsync: path spoofing attack vulnerability
Last modified: 2019-04-26 09:31:50 UTC
CVE-2014-9512 n newest version rsync(3.1.1),directly modify the file path into absolute path is not hijack succeed due to the security checks,but using symbolic links still can bypass security checks and spoofing client.When a client uses parameter -a to synchronize files of the server-side(default),for example: rsync -avzP 127.0.0.1::share /tmp/share Rsync recursive synchronous all files,An attacker can hijack the file path by modifying the code of the server-side,allows remote servers to write to arbitrary files, and consequently execute arbitrary code . References: http://xteam.baidu.com/?p=169 (original bug report) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9512 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9512.html
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (915410) was mentioned in https://build.opensuse.org/request/show/283800 13.2+13.1 / rsync
Only 13.2 and Factory affected. Other distributions have rsync <= 3.1.0. Back to security-team.
openSUSE-SU-2015:0249-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 915410 CVE References: CVE-2014-9512 Sources used: openSUSE 13.2 (src): rsync-3.1.1-2.4.1 openSUSE 13.1 (src): rsync-3.1.0-21.12.1
released
Reopening. We will backport the countermeasures against malicious servers. rsync 3.1.1 introduced a filtering measure to prevent malicious servers from sending invalid files from outside of the specified directory: https://git.samba.org/?p=rsync.git;a=commitdiff;h=4cad402ea8a91031f86c53961d78bb7f4f174790 The feature was incomplete and missed the attack vector that uses symlink to traverse directories. This was assigned CVE-2014-9512. The symlink trick is fixed by: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b
*** Bug 960191 has been marked as a duplicate of this bug. ***
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-01-22. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62416
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Jan. 15, 2016". When done, reassign the bug to "security-team@suse.de". /update/62416/.
The fix for the symlink issue is still incomplete. The countermeasure was implemented for the new incremental recursive algorithm (inc-recurse) only. The new algorithm is used by the default since rsync 3.0. However both server and client must support protocol >= 30. A malicious server can bypass the symlink check by negotiating a protocol version < 30. Thus it can still overwrite arbitrary files (although with \0 bytes it seems, needs more investigation)
http://xteam.baidu.com/?p=169 has
SUSE-SU-2016:0173-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 898513,900914,915410,922710 CVE References: CVE-2014-8242,CVE-2014-9512 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): rsync-3.1.0-6.1 SUSE Linux Enterprise Server 12 (src): rsync-3.1.0-6.1 SUSE Linux Enterprise Desktop 12-SP1 (src): rsync-3.1.0-6.1 SUSE Linux Enterprise Desktop 12 (src): rsync-3.1.0-6.1
SUSE-SU-2016:0176-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 900914,915410 CVE References: CVE-2014-8242,CVE-2014-9512 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Server 11-SP4 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Server 11-SP3 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Desktop 11-SP4 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Desktop 11-SP3 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): rsync-3.0.4-2.49.1
The symlink attack using protocol downgrade was reported upstream: https://bugzilla.samba.org/show_bug.cgi?id=11949
The old recursive algorithm is fixed in https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9
This is an autogenerated message for OBS integration: This bug (915410) was mentioned in https://build.opensuse.org/request/show/402744 42.1 / rsync https://build.opensuse.org/request/show/402745 13.2 / rsync
openSUSE-SU-2016:1671-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 915410 CVE References: CVE-2014-9512 Sources used: openSUSE Leap 42.1 (src): rsync-3.1.0-6.1
openSUSE-SU-2016:1695-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 915410 CVE References: CVE-2014-9512 Sources used: openSUSE 13.2 (src): rsync-3.1.1-2.10.2
SUSE-SU-2016:1866-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 915410 CVE References: CVE-2014-9512 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): rsync-3.0.4-2.52.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): rsync-3.0.4-2.52.1
SUSE-SU-2016:2151-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 915410 CVE References: CVE-2014-9512 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): rsync-3.1.0-9.3 SUSE Linux Enterprise Desktop 12-SP1 (src): rsync-3.1.0-9.3
This is an autogenerated message for OBS integration: This bug (915410) was mentioned in https://build.opensuse.org/request/show/563269 42.3 / rsync
openSUSE-SU-2018:0101-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1028842,1062063,1066644,1071459,1071460,915410,999847 CVE References: CVE-2014-9512,CVE-2017-16548,CVE-2017-17433,CVE-2017-17434 Sources used: openSUSE Leap 42.3 (src): rsync-3.1.0-10.1 openSUSE Leap 42.2 (src): rsync-3.1.0-7.3.1
This is an autogenerated message for OBS integration: This bug (915410) was mentioned in https://build.opensuse.org/request/show/698102 15.1 / rsync