Title: rsync Signed Array Index Remote Code Execution Vulnerability
Severity: CRITICAL
Description:
The rsync program is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of ftp sites, often through anonymous access to the rsync server. It is available for Linux and other Unix operating systems. rsync is usually configured to run as the root user.
A vulnerability exists within some versions of rsync. Under some circumstances, a remotely supplied signed value is used as an array index. If a negative value is used as an array index, it is possible to access nearly arbitrary memory locations. It has been reported that this may only be used to write NULL bytes to memory.
If a remote attacker is able to exploit this vulnerability, they may write NULL bytes to arbitrary locations on the stack. This could lead to the corruption of data used to restore an instruction pointer, which in turn would modify the flow of execution of the program. If successfully exploited, this would result in the execution of arbitrary code as the root user.
It is possible that other versions of rsync share this vulnerability.
Affected Products:
- Caldera OpenLinux 2.3.0
- Caldera OpenLinux 3.1.0 -IA64
- Caldera OpenLinux Server 3.1.0
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.0
- Caldera OpenLinux Workstation 3.1.1
- Caldera OpenLinux eBuilder 3.0.0
- Conectiva Linux 5.0.0
- Conectiva Linux 5.1.0
- Conectiva Linux 6.0.0
- Conectiva Linux 7.0.0
- Conectiva Linux 8.0.0
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Debian Linux 2.2.0 68k
- Debian Linux 2.2.0 IA-32
- Debian Linux 2.2.0 alpha
- Debian Linux 2.2.0 arm
- Debian Linux 2.2.0 powerpc
- Debian Linux 2.2.0 sparc
- EnGarde Secure Linux 1.0.1
- HP Secure OS software for Linux 1.0.0
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Linux Mandrake 7.1.0
- MandrakeSoft Linux Mandrake 7.2.0
- MandrakeSoft Linux Mandrake 8.0.0
- MandrakeSoft Linux Mandrake 8.0.0 ppc
- MandrakeSoft Linux Mandrake 8.1.0
- MandrakeSoft Linux Mandrake 8.1.0 ia64
- MandrakeSoft Single Network Firewall 7.2.0
- RedHat Linux 6.2.0 alpha
- RedHat Linux 6.2.0 i386
- RedHat Linux 6.2.0 sparc
- RedHat Linux 7.0.0 alpha
- RedHat Linux 7.0.0 i386
- RedHat Linux 7.1.0 alpha
- RedHat Linux 7.1.0 i386
- RedHat Linux 7.1.0 ia64
- RedHat Linux 7.2.0 i386
- RedHat Linux 7.2.0 ia64
- S.u.S.E. Linux 6.4.0 alpha
- S.u.S.E. Linux 6.4.0 i386
- S.u.S.E. Linux 6.4.0 ppc
- S.u.S.E. Linux 7.0.0 alpha
- S.u.S.E. Linux 7.0.0 i386
- S.u.S.E. Linux 7.0.0 ppc
- S.u.S.E. Linux 7.0.0 sparc
- S.u.S.E. Linux 7.1.0 alpha
- S.u.S.E. Linux 7.1.0 ppc
- S.u.S.E. Linux 7.1.0 sparc
- S.u.S.E. Linux 7.1.0 x86
- S.u.S.E. Linux 7.2.0 i386
- S.u.S.E. Linux 7.3.0 i386
- S.u.S.E. Linux 7.3.0 ppc
- S.u.S.E. Linux 7.3.0 sparc
- S.u.S.E. Linux 8.0.0
- SCO eDesktop 2.4.0
- SCO eServer 2.3.1
- Trustix Secure Linux 1.0.0 1
- Trustix Secure Linux 1.1.0
- Trustix Secure Linux 1.2.0
- Trustix Secure Linux 1.5.0
- rsync rsync 2.3.1
- rsync rsync 2.3.2
- rsync rsync 2.3.2 -1.2 ARM
- rsync rsync 2.3.2 -1.2 PPC
- rsync rsync 2.3.2 -1.2 alpha
- rsync rsync 2.3.2 -1.2 intel
- rsync rsync 2.3.2 -1.2 m68k
- rsync rsync 2.3.2 -1.2 sparc
- rsync rsync 2.4.1
- rsync rsync 2.4.3
- rsync rsync 2.4.4
- rsync rsync 2.4.6
- rsync rsync 2.4.8
- rsync rsync 2.5.1
References:
- RedHat: Bugzilla bug 58874
- SecurityBugWare: rsync remote heap corruption
- rsync: rsync Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
