Package: rsync Version: 2.6.3-1 Severity: important Tags: patch security Hi, the new rsync upstream release fixes two security bugs which can be exploited via a symlink attack. "1. Daemon advisory for "use chroot = no"
If you are running a writable rsync daemon with "use chroot = no", there is at least one way for someone to trick rsync into creating a symlink that points outside of the module's hierarchy. This means that if you are allowing access from users who you don't trust, that you should either figure out a way to turn on "use chroot", or configure the daemon to refuse the --links option (see "refuse options" in the rsyncd.conf manpage) which will disable the ability of the rsync module to receive symlinks. After doing so, you should also check that any existing symlinks in the daemon hierarchy are safe. Starting with the 3.0.0-pre6 release, there is a new daemon option available: "munge symlinks". This allows an rsync daemon to accept symlinks and return them intact (with even a leading slash still there, which is new for a non-chroot daemon), but will not allow the symlinks to be used while they are in the daemon's hierarchy. For those running 2.6.9, there is a patch to implement this option. Any admin applying that patch should read the "munge symlinks" section of the modified rsyncd.conf manpage for more information. You can also read about this option in the rsyncd.conf manpage from the 3.0.0pre6 release. 2. Daemon advisory for daemon excludes If you are running a writable rsync daemon that is using one of the "exclude", "exclude from", or "filter" options in the rsyncd.conf file to hide data from your users, you should be aware that there are tricks that a user can play with symlinks and/or certain options that can allow a user that knows the name of a hidden file to access it or overwrite it (if file permissions allow that). You can avoid the symlink problem using the suggestions in the advisory above. You can avoid the problems with other options by putting the following "refuse options" setting into your rsyncd.conf file: refuse options = --*-dest --partial-dir --backup-dir An upcoming release of rsync 3.0.0 will hopefully fix the daemon-exclude validation of these options to make this unnecessary, but this has not yet been implemented. If you combine the above refuse options with the prior suggestion to refuse --links, that would give you this list of options (included here for easier copy/pasting): refuse options = --links --*-dest --partial-dir --backup-dir" See: http://rsync.samba.org/security.html#s3_0_0 A patch can be found on: http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff A CVE id for this issue is currently pending, I will add it to the bug report. If you fix the package after I got it please include the CVE id in the changelog then. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpV8pGy4UJJS.pgp
Description: PGP signature
