• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

rsync Signed Array Index Remote Code Execution Vulnerability

Solution:
rsync 2.5.2 is no longer vulnerable to this issue.

There have been some reports that the provided RedHat and Debian updates cause problems. Please refer to Bugzilla bug 58874 in the references section for details and a proposed solution.

HP has published an advisory stating that the fixes for Red Hat Linux should be applied to HP Secure OS software for Linux. The Red Hat fixes are linked to in the solutions section.

RedHat has released an updated advisory and fixes, which are reported to solve the above issues.

Vendor patches:


rsync rsync 2.3.1

• Caldera rsync-2.5.0-2.i386
  ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/rsync-2.5. 0-2.i386.rpm


• Caldera rsync-2.5.0-2.i386
  eServer 2.3 and eBuilder
  ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/rsync-2.5.0 -2.i386.rpm


• Conectiva rsync-2.4.6-4U50_1cl.i386.rpm
  for Conectiva 5.0
  ftp://atualizacoes.conectiva.com.br/5.0/i386/rsync-2.4.6-4U50_1cl.i386 .rpm


• Conectiva rsync-2.4.6-4U50_1cl.i386.rpm
  for Conectiva ecommerce
  ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/rsync-2 .4.6-4U50_1cl.i386.rpm


• Conectiva rsync-2.4.6-4U50_1cl.i386.rpm
  for Conectiva graficas
  ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/rsync-2. 4.6-4U50_1cl.i386.rpm


• Conectiva rsync-2.4.6-4U51_1cl.i386.rpm
  for Conectiva 5.1
  ftp://atualizacoes.conectiva.com.br/5.1/i386/rsync-2.4.6-4U51_1cl.i386 .rpm


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.3.2 -1.2 ARM

• Debian rsync_2.3.2-1.3_arm
  http://security.debian.org/dists/stable/updates/main/binary-arm/rsync_ 2.3.2-1.3_arm.deb


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.3.2 -1.2 sparc

• Debian rsync_2.3.2-1.3_alpha
  http://security.debian.org/dists/stable/updates/main/binary-alpha/rsyn c_2.3.2-1.3_alpha.deb


• Debian rsync_2.3.2-1.3_arm
  http://security.debian.org/dists/stable/updates/main/binary-arm/rsync_ 2.3.2-1.3_arm.deb


• Debian rsync_2.3.2-1.3_sparc
  http://security.debian.org/dists/stable/updates/main/binary-sparc/rsyn c_2.3.2-1.3_sparc.deb


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.3.2 -1.2 m68k

• Debian rsync_2.3.2-1.3_m68k
  http://security.debian.org/dists/stable/updates/main/binary-m68k/rsync _2.3.2-1.3_m68k.deb


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.3.2 -1.2 intel

• Debian rsync_2.3.2-1.3_i386
  http://security.debian.org/dists/stable/updates/main/binary-i386/rsync _2.3.2-1.3_i386.deb


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.3.2 -1.2 alpha

• Debian rsync_2.3.2-1.3_alpha
  http://security.debian.org/dists/stable/updates/main/binary-alpha/rsyn c_2.3.2-1.3_alpha.deb


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.3.2

• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html


• SuSE rsync-2.3.2-123.i386.rpm
  for SuSE 6.4
  ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/rsync-2.3.2-123.i386.rp m


• SuSE rsync-2.3.2-124.i386.rpm
  for SuSE 7.0
  ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/rsync-2.3.2-124.i386.rp m


• SuSE rsync-2.3.2-133.ppc.rpm
  for SuSE 6.4
  ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/rsync-2.3.2-133.ppc.rpm


• SuSE rsync-2.3.2-133.ppc.rpm
  for SuSE 7.0
  ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/rsync-2.3.2-133.ppc.rpm


• SuSE rsync-2.3.2-30.alpha.rpm
  for SuSE 7.0
  ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/rsync-2.3.2-30.alpha.rpm


• SuSE rsync-2.3.2-31.alpha.rpm
  for SuSE 6.4
  ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/rsync-2.3.2-31.alpha.rpm


• SuSE rsync-2.3.2-5.sparc.rpm
  for SuSE 7.0
  ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/rsync-2.3.2-5.sparc.rp m

rsync rsync 2.3.2 -1.2 PPC

• Debian rsync_2.3.2-1.3_powerpc
  http://security.debian.org/dists/stable/updates/main/binary-powerpc/rs ync_2.3.2-1.3_powerpc.deb


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.4.1

• RedHat rsync-2.4.6-1.6.alpha.rpm
  for RedHat 6.2
  ftp://updates.redhat.com/6.2/en/os/alpha/rsync-2.4.6-1.6.alpha.rpm


• RedHat rsync-2.4.6-1.6.i386.rpm
  for RedHat 6.2
  ftp://updates.redhat.com/6.2/en/os/i386/rsync-2.4.6-1.6.i386.rpm


• RedHat rsync-2.4.6-1.6.sparc.rpm
  for RedHat 6.2
  ftp://updates.redhat.com/6.2/en/os/sparc/rsync-2.4.6-1.6.sparc.rpm


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.4.3

• Caldera rsync-2.5.0-2.i386
  ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/rsync-2.5 .0-2.i386.rpm


• Caldera rsync-2.5.0-2.i386
  ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/rs ync-2.5.0-2.i386.rpm


• Caldera rsync-2.5.0-2.i386
  ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RP MS/rsync-2.5.0-2.i386.rpm


• Caldera rsync-2.5.0-2.ia64
  ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/IA64/current/RPMS/rsyn c-2.5.0-2.ia64.rpm


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html


• Trustix rsync-2.4.6-4tr.i586.rpm
  for Trustix 1.1
  http://www.trustix.net/pub/Trustix/updates/1.1/RPMS/rsync-2.4.6-4tr.i5 86.rpm

rsync rsync 2.4.4

• RedHat rsync-2.4.6-10.alpha.rpm
  for RedHat 7.0
  ftp://updates.redhat.com/7.0/en/os/alpha/rsync-2.4.6-10.alpha.rpm


• RedHat rsync-2.4.6-10.alpha.rpm
  for RedHat 7.1
  ftp://updates.redhat.com/7.1/en/os/alpha/rsync-2.4.6-10.alpha.rpm


• RedHat rsync-2.4.6-10.i386.rpm
  for RedHat 7.0
  ftp://updates.redhat.com/7.0/en/os/i386/rsync-2.4.6-10.i386.rpm


• RedHat rsync-2.4.6-10.i386.rpm
  for RedHat 7.1
  ftp://updates.redhat.com/7.1/en/os/i386/rsync-2.4.6-10.i386.rpm


• RedHat rsync-2.4.6-10.ia64.rpm
  for RedHat 7.1
  ftp://updates.redhat.com/7.1/en/os/ia64/rsync-2.4.6-10.ia64.rpm


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html

rsync rsync 2.4.6

• Conectiva rsync-2.4.6-4U60_1cl.i386.rpm
  for Conectiva 6.0
  ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rsync-2.4.6-4U60_1cl.i386 .rpm


• Conectiva rsync-2.4.6-4U70_1cl.i386.rpm
  for Conectiva 7.0
  ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rsync-2.4.6-4U70_1cl.i386 .rpm


• EnGarde Secure Linux rsync-2.4.6-1.0.3.i386.rpm
  ftp://ftp.engardelinux.org/pub/engarde/stable/updates/


• EnGarde Secure Linux rsync-2.4.6-1.0.3.i686.rpm
  ftp://ftp.engardelinux.org/pub/engarde/stable/updates/


• Mandrake rsync-2.4.6-3.1mdk.i586.rpm
  for Mandrake Linux 7.2
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.1mdk.i586.rpm
  for Mandrake Linux 8.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.1mdk.i586.rpm
  for Mandrake Linux 8.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.1mdk.i586.rpm
  for Mandrake Single Network Firewall 7.2
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.1mdk.ia64.rpm
  for Mandrake Linux 8.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.1mdk.ppc.rpm
  for Mandrake Linux 8.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.2mdk.i586.rpm
  for Mandrake Corporate Server 1.0.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake rsync-2.4.6-3.2mdk.i586.rpm
  for Mandrake Linux 7.1
  http://www.mandrakesecure.net/en/ftp.php


• RedHat rsync-2.4.6-10.i386.rpm
  for RedHat 7.2
  ftp://updates.redhat.com/7.2/en/os/i386/rsync-2.4.6-10.i386.rpm


• RedHat rsync-2.4.6-10.ia64.rpm
  for RedHat 7.2
  ftp://updates.redhat.com/7.2/en/os/ia64/rsync-2.4.6-10.ia64.rpm


• rsync rsync 2.5.2
  http://rsync.samba.org/rsync/download.html


• SuSE rsync-2.4.6-123.alpha.rpm
  for SuSE 7.1
  ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/rsync-2.4.6-123.alpha.rp m


• SuSE rsync-2.4.6-135.sparc.rpm
  for SuSE 7.1
  ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/rsync-2.4.6-135.sparc. rpm


• SuSE rsync-2.4.6-135.sparc.rpm
  for SuSE 7.3
  ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/rsync-2.4.6-135.sparc. rpm


• SuSE rsync-2.4.6-150.ppc.rpm
  for SuSE 7.3
  ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/rsync-2.4.6-150.ppc.rpm


• SuSE rsync-2.4.6-151.ppc.rpm
  for SuSE 7.1
  ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/rsync-2.4.6-151.ppc.rpm


• SuSE rsync-2.4.6-288.i386.rpm
  for SuSE 7.1
  ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/rsync-2.4.6-288.i386.rp m


• SuSE rsync-2.4.6-288.i386.rpm
  for SuSE 7.3
  ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/rsync-2.4.6-288.i386.rp m


• SuSE rsync-2.4.6-289.i386.rpm
  for SuSE 7.2
  ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/rsync-2.4.6-289.i386.rp m


• Trustix rsync-2.4.6-4tr.i586.rpm
  for Trustix 1.2
  http://www.trustix.net/pub/Trustix/updates/1.2/RPMS/rsync-2.4.6-4tr.i5 86.rpm


• Trustix rsync-2.4.6-4tr.i586.rpm
  for Trustix 1.5
  http://www.trustix.net/pub/Trustix/updates/1.5/RPMS/rsync-2.4.6-4tr.i5 86.rpm

rsync rsync 2.4.8

• Caldera rsync-2.5.0-2.i386
  ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS/ rsync-2.5.0-2.i386.rpm


• Caldera rsync-2.5.0-2.i386
  ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/ RPMS/rsync-2.5.0-2.i386.rpm

rsync rsync 2.5.1

• FreeBSD rsync-2.5.1_1.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/rsy nc-2.5.1_1.tgz