Rsync Sanitize_path功能模块路径避开漏洞

漏洞信息详情

Rsync Sanitize_path功能模块路径避开漏洞

• CNNVD编号：CNNVD-200410-082
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2004-0792
  
• 漏洞类型：
  
  
  路径遍历
  
• 发布时间：
  
  2004-10-20
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2006-08-22
  
• 厂        商：
  
  andrew_tridgell
• 漏洞来源：
  Rsync

rsync 2.6.2版本及之前版本的util.c中的sanitize_path函数在改变根目录不可用时存在目录遍历漏洞。攻击者可以读取或写入某些文件。

Avaya has released an advisory that acknowledges this vulnerability for Avaya products. Fixes are not currently available; customers are advised to follow Red Hat (RHSA-2004:436-07) vendor recommendations to resolve this issue. Please see the referenced Avaya advisory at the following location for further details:
http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=201982&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
Red Hat has released advisory RHSA-2004:436-07 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.
OpenPKG has released a security advisory (OpenPKG-SA-2004.037) to address this issue. Please see the referenced advisory for more information.
SUSE has released a security advisory (SUSE-SA:2004:026) to address this issue. Please see the referenced advisory for more information.
tinysofa has released a security advisory (TSSA-2004-020-ES) to address this issue. Please see the referenced advisory for further information.
Debian has released advisory DSA 538-1 to address this issue. Please see the attached advisory for further information.
Trustix has released advisory TSLSA-2004-0042 to address this issue. Please see the attached advisory for further information.
Gentoo has released updates to address this issue. Updates may be applied with the following commands:
emerge sync
emerge -pv “>=net-misc/rsync-2.6.0-r3”
emerge “>=net-misc/rsync-2.6.0-r3”
Netwosix has released advisory LNSA-#2004-0017 to address this issue. Please see the attached advisory for further information.
Mandrake has released an advisory (MDKSA-2004:083) to address this issue. Please see the referenced advisory for more information.
RedHat has released two advisories (FEDORA-2004-268, FEDORA-2004-269) to address this issue in Fedora Core 1 and Fedora Core 2. Please see the referenced advisories for more information.
Turbolinux has released an advisory (TLSA-2004-20) to address this issue. Please see the referenced advisory for more information.
RedHat has released a Fedora legacy advisory (FLSA:2003) to address various issues in rsync. This advisory fixes these issues in Red Hat Linux 7.3 and 9 running on the i386 architecture. Please see the referenced advisory for more details and information about obtaining fixes.
Slackware Linux has released an advisory (SSA:2004-285-01) along with fixes dealing with this issue. For more information please see the referenced advisory.
Contectiva Linux has released advisory CLA-2004:881 along with fixes dealing with this issue. Please see the referenced advisory for more information.

tinysofa enterprise server 2.0

• tinysofa rsync-2.6.2-2ts.i386.rpm
  
  http://http.tinysofa.org/pub/tinysofa/updates/server-2.0/i386/tinysofa
  /rpms.updates/rsync-2.6.2-2ts.i386.rpm

rsync rsync 2.4.6

• TurboLinux rsync-2.6.2-2.i586.rpmTurboLinux 7 Server
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updat
  es/RPMS/rsync-2.6.2-2.i586.rpm
• TurboLinux rsync-2.6.2-2.i586.rpmTurboLinux 7 Workstation
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/
  updates/RPMS/rsync-2.6.2-2.i586.rpm

rsync rsync 2.5.4

• TurboLinux rsync-2.6.2-2.i586.rpmTurboLinux 8 Workstation
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/
  updates/RPMS/rsync-2.6.2-2.i586.rpm

rsync rsync 2.5.5

• Debian rsync_2.5.5-0.6_alpha.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_a
  lpha.deb
• Debian rsync_2.5.5-0.6_arm.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_a
  rm.deb
• Debian rsync_2.5.5-0.6_hppa.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_h
  ppa.deb
• Debian rsync_2.5.5-0.6_i386.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_i
  386.deb
• Debian rsync_2.5.5-0.6_ia64.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_i
  a64.deb
• Debian rsync_2.5.5-0.6_m68k.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_m
  68k.deb
• Debian rsync_2.5.5-0.6_mips.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_m
  ips.deb
• Debian rsync_2.5.5-0.6_mipsel.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_m
  ipsel.deb
• Debian rsync_2.5.5-0.6_powerpc.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_p
  owerpc.deb
• Debian rsync_2.5.5-0.6_s390.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_s
  390.deb
• Debian rsync_2.5.5-0.6_sparc.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.6_s
  parc.deb
• Mandrake rsync-2.5.5-5.3.C21mdk.i586.rpmMandrake Corporate Server 2.1
  
  http://www.mandrakesecure.net/en/ftp.php
• Mandrake rsync-2.5.5-5.3.C21mdk.x86_64.rpmMandrake Corporate Server 2.1/x86_64
  
  http://www.mandrakesecure.net/en/ftp.php
• SuSE rsync-2.6.2-25.i586.patch.rpm
  ftp://ftp.suse.com/pub