Attachment #188988 for bug #224477

View | Details | Raw Unified | Return to bug 224477
Collapse All | Expand All

Lines 3-10 Link Here

(-)Makefile (-1 / +1 lines)
3		3
4	PORTNAME= rsync	4	PORTNAME= rsync
5	PORTVERSION= 3.1.2	5	PORTVERSION= 3.1.2
		6	PORTREVISION= 8
6	CATEGORIES= net ipv6	7	CATEGORIES= net ipv6
7	PORTREVISION= 7
8	MASTER_SITES= http://rsync.samba.org/ftp/rsync/ \	8	MASTER_SITES= http://rsync.samba.org/ftp/rsync/ \
9	https://rsync.samba.org/ftp/rsync/ \	9	https://rsync.samba.org/ftp/rsync/ \
10	ftp://ftp.fu-berlin.de/pub/unix/network/rsync/ \	10	ftp://ftp.fu-berlin.de/pub/unix/network/rsync/ \

From: Wayne Davison <wayned@samba.org>
Date: Sun, 5 Nov 2017 11:33:15 -0800
Subject: Enforce trailing \0 when receiving xattr name values. Fixes bug
 13112.
Origin: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13112
Bug-Debian: https://bugs.debian.org/880954
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16548

---
 xattrs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xattrs.c b/xattrs.c
index 68305d75..4867e6f5 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file)
 			out_of_memory("receive_xattr");
 		name = ptr + dget_len + extra_len;
 		read_buf(f, name, name_len);
+		if (name_len < 1 || name[name_len-1] != '\0') {
+			rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
+			exit_cleanup(RERR_FILEIO);
+		}
 		if (dget_len == datum_len)
 			read_buf(f, ptr, dget_len);
 		else {
-- 
2.15.1




From: Jeriko One <jeriko.one@gmx.us>
Date: Thu, 2 Nov 2017 23:44:19 -0700
Subject: Check fname in recv_files sooner.
Origin: https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
Bug-Debian: https://bugs.debian.org/883667
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17433

---
 receiver.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/receiver.c b/receiver.c
index baae3a91..9fdafa15 100644
--- a/receiver.c
+++ b/receiver.c
@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
 			file = dir_flist->files[cur_flist->parent_ndx];
 		fname = local_name ? local_name : f_name(file, fbuf);
 
+		if (daemon_filter_list.head
+		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+			rprintf(FERROR, "attempt to hack rsync failed.\n");
+			exit_cleanup(RERR_PROTOCOL);
+		}
+
 		if (DEBUG_GTE(RECV, 1))
 			rprintf(FINFO, "recv_files(%s)\n", fname);
 
@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name)
 
 		cleanup_got_literal = 0;
 
-		if (daemon_filter_list.head
-		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
-			rprintf(FERROR, "attempt to hack rsync failed.\n");
-			exit_cleanup(RERR_PROTOCOL);
-		}
-
 		if (read_batch) {
 			int wanted = redoing
 				   ? we_want_redo(ndx)
-- 
2.15.1





From: Jeriko One <jeriko.one@gmx.us>
Date: Thu, 16 Nov 2017 17:05:42 -0800
Subject: [1/2] Sanitize xname in read_ndx_and_attrs.
Origin: https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
Bug-Debian: https://bugs.debian.org/883665
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17434

---
 rsync.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rsync.c b/rsync.c
index b82e5988..a0945ba4 100644
--- a/rsync.c
+++ b/rsync.c
@@ -49,6 +49,7 @@ extern int flist_eof;
 extern int file_old_total;
 extern int keep_dirlinks;
 extern int make_backups;
+extern int sanitize_paths;
 extern struct file_list *cur_flist, *first_flist, *dir_flist;
 extern struct chmod_mode_struct *daemon_chmod_modes;
 #ifdef ICONV_OPTION
@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr,
 	if (iflags & ITEM_XNAME_FOLLOWS) {
 		if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
 			exit_cleanup(RERR_PROTOCOL);
+
+		if (sanitize_paths) {
+			sanitize_path(buf, buf, "", 0, SP_DEFAULT);
+			len = strlen(buf);
+		}
 	} else {
 		*buf = '\0';
 		len = -1;
-- 
2.15.1


From: Jeriko One <jeriko.one@gmx.us>
Date: Thu, 16 Nov 2017 17:26:03 -0800
Subject: [2/2] Check daemon filter against fnamecmp in recv_files().
Origin: https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1
Bug-Debian: https://bugs.debian.org/883665
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17434

---
 receiver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/receiver.c b/receiver.c
index 9fdafa15..9c46242e 100644
--- a/receiver.c
+++ b/receiver.c
@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 				break;
 			}
 			if (!fnamecmp || (daemon_filter_list.head
-			  && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
+			  && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
 				fnamecmp = fname;
 				fnamecmp_type = FNAMECMP_FNAME;
 			}
-- 
2.15.1

Return to bug 224477

Line 0 Link Here

(-)files/patch-CVE-2017-16548 (+31 lines)
	1	From: Wayne Davison <wayned@samba.org>
	2	Date: Sun, 5 Nov 2017 11:33:15 -0800
	3	Subject: Enforce trailing \0 when receiving xattr name values. Fixes bug
	4	13112.
	5	Origin: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
	6	Bug: https://bugzilla.samba.org/show_bug.cgi?id=13112
	7	Bug-Debian: https://bugs.debian.org/880954
	8	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16548
	9
	10	---
	11	xattrs.c \| 4 ++++
	12	1 file changed, 4 insertions(+)
	13
	14	diff --git a/xattrs.c b/xattrs.c
	15	index 68305d75..4867e6f5 100644
	16	--- a/xattrs.c
	17	+++ b/xattrs.c
	18	@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file)
	19	out_of_memory("receive_xattr");
	20	name = ptr + dget_len + extra_len;
	21	read_buf(f, name, name_len);
	22	+ if (name_len < 1 \|\| name[name_len-1] != '\0') {
	23	+ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
	24	+ exit_cleanup(RERR_FILEIO);
	25	+ }
	26	if (dget_len == datum_len)
	27	read_buf(f, ptr, dget_len);
	28	else {
	29	--
	30	2.15.1
	31

Line 0 Link Here

(-)files/patch-CVE-2017-17433 (+44 lines)
	1	From: Jeriko One <jeriko.one@gmx.us>
	2	Date: Thu, 2 Nov 2017 23:44:19 -0700
	3	Subject: Check fname in recv_files sooner.
	4	Origin: https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
	5	Bug-Debian: https://bugs.debian.org/883667
	6	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17433
	7
	8	---
	9	receiver.c \| 12 ++++++------
	10	1 file changed, 6 insertions(+), 6 deletions(-)
	11
	12	diff --git a/receiver.c b/receiver.c
	13	index baae3a91..9fdafa15 100644
	14	--- a/receiver.c
	15	+++ b/receiver.c
	16	@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
	17	file = dir_flist->files[cur_flist->parent_ndx];
	18	fname = local_name ? local_name : f_name(file, fbuf);
	19
	20	+ if (daemon_filter_list.head
	21	+ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
	22	+ rprintf(FERROR, "attempt to hack rsync failed.\n");
	23	+ exit_cleanup(RERR_PROTOCOL);
	24	+ }
	25	+
	26	if (DEBUG_GTE(RECV, 1))
	27	rprintf(FINFO, "recv_files(%s)\n", fname);
	28
	29	@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name)
	30
	31	cleanup_got_literal = 0;
	32
	33	- if (daemon_filter_list.head
	34	- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
	35	- rprintf(FERROR, "attempt to hack rsync failed.\n");
	36	- exit_cleanup(RERR_PROTOCOL);
	37	- }
	38	-
	39	if (read_batch) {
	40	int wanted = redoing
	41	? we_want_redo(ndx)
	42	--
	43	2.15.1
	44

Line 0 Link Here

(-)files/patch-CVE-2017-17434-1 (+38 lines)
	1	From: Jeriko One <jeriko.one@gmx.us>
	2	Date: Thu, 16 Nov 2017 17:05:42 -0800
	3	Subject: [1/2] Sanitize xname in read_ndx_and_attrs.
	4	Origin: https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
	5	Bug-Debian: https://bugs.debian.org/883665
	6	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17434
	7
	8	---
	9	rsync.c \| 6 ++++++
	10	1 file changed, 6 insertions(+)
	11
	12	diff --git a/rsync.c b/rsync.c
	13	index b82e5988..a0945ba4 100644
	14	--- a/rsync.c
	15	+++ b/rsync.c
	16	@@ -49,6 +49,7 @@ extern int flist_eof;
	17	extern int file_old_total;
	18	extern int keep_dirlinks;
	19	extern int make_backups;
	20	+extern int sanitize_paths;
	21	extern struct file_list cur_flist, first_flist, *dir_flist;
	22	extern struct chmod_mode_struct *daemon_chmod_modes;
	23	#ifdef ICONV_OPTION
	24	@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int iflag_ptr, uchar type_ptr,
	25	if (iflags & ITEM_XNAME_FOLLOWS) {
	26	if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
	27	exit_cleanup(RERR_PROTOCOL);
	28	+
	29	+ if (sanitize_paths) {
	30	+ sanitize_path(buf, buf, "", 0, SP_DEFAULT);
	31	+ len = strlen(buf);
	32	+ }
	33	} else {
	34	*buf = '\0';
	35	len = -1;
	36	--
	37	2.15.1
	38

Line 0 Link Here

(-)files/patch-CVE-2017-17434-2 (+27 lines)
	1	From: Jeriko One <jeriko.one@gmx.us>
	2	Date: Thu, 16 Nov 2017 17:26:03 -0800
	3	Subject: [2/2] Check daemon filter against fnamecmp in recv_files().
	4	Origin: https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1
	5	Bug-Debian: https://bugs.debian.org/883665
	6	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17434
	7
	8	---
	9	receiver.c \| 2 +-
	10	1 file changed, 1 insertion(+), 1 deletion(-)
	11
	12	diff --git a/receiver.c b/receiver.c
	13	index 9fdafa15..9c46242e 100644
	14	--- a/receiver.c
	15	+++ b/receiver.c
	16	@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name)
	17	break;
	18	}
	19	if (!fnamecmp \|\| (daemon_filter_list.head
	20	- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
	21	+ && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
	22	fnamecmp = fname;
	23	fnamecmp_type = FNAMECMP_FNAME;
	24	}
	25	--
	26	2.15.1
	27