Overview

File _patchinfo of Package patchinfo.6278

<patchinfo incident="6278">
  <issue id="1071459" tracker="bnc">VUL-0: CVE-2017-17433: rsync: The recv_files function proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list</issue>
  <issue id="1066644" tracker="bnc">VUL-0: CVE-2017-16548: rsync: Missing trailing '\0' character check could lead to remote denial of service</issue>
  <issue id="1071460" tracker="bnc">VUL-0: CVE-2017-17434: rsync: Missing check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c)</issue>
  <issue id="1028842" tracker="bnc">kiwi not preserving extended attributes, file capabilities stripped</issue>
  <issue id="2017-17434" tracker="cve" />
  <issue id="2017-17433" tracker="cve" />
  <issue id="2017-16548" tracker="cve" />
  <issue id="1062063" tracker="bnc">L3: rsync doesn't stop on errors</issue>
  <category>security</category>
  <rating>moderate</rating>
  <packager>pmonrealgonzalez</packager>
  <description>This update for rsync fixes several issues.

These security issues were fixed:

- CVE-2017-17434: The daemon in rsync did not check for fnamecmp filenames in
  the daemon_filter_list data structure (in the recv_files function in
  receiver.c) and also did not apply the sanitize_paths protection mechanism to
  pathnames found in "xname follows" strings (in the read_ndx_and_attrs function
  in rsync.c), which allowed remote attackers to bypass intended access
  restrictions" (bsc#1071460).
- CVE-2017-17433: The recv_files function in receiver.c in the daemon in rsync,
  proceeded with certain file metadata updates before checking for a filename in
  the daemon_filter_list data structure, which allowed remote attackers to bypass
  intended access restrictions (bsc#1071459).
- CVE-2017-16548: The receive_xattr function in xattrs.c in rsync did not check
  for a trailing '\\0' character in an xattr name, which allowed remote attackers
  to cause a denial of service (heap-based buffer over-read and application
  crash) or possibly have unspecified other impact by sending crafted data to the
  daemon (bsc#1066644).

This non-security issue was fixed:

- Stop file upload after errors like a full disk (bsc#1062063)
- Ensure -X flag works even when setting owner/group (bsc#1028842)
</description>
  <summary>Security update for rsync</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places