|
| From: | SAMBA | | Date: | 17.08.2004 | | Subject: | August 2004 Security Advisory |
August 2004 Security Advisory
August 12th, 2004
Background
There is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
The Fix
The best fix is to apply this one-word patch to the sanitize_path() function in util.c:
--- orig/util.c 2004-04-27 12:59:37 -0700
+++ util.c 2004-08-11 23:37:27 -0700
@@ -743,7 +743,7 @@
allowdotdot = 1;
} else {
p += 2;
- if (*p == '/')
+ while (*p == '/')
p++;
if (sanp != start) {
/* back up sanp one level */
This bug is fixed in the CVS version of rsync, and will be released in version 2.6.3 (it is currently in release-testing).
One potential fix that doesn't require recompiling rsync is to set "use chroot = true" for all the modules in the rsyncd.conf file.
|
