Login
Newsletter
Werbung

Sicherheit: Fehlerhafte Zahlenvergleiche in rsync
Aktuelle Meldungen Distributionen
Name: Fehlerhafte Zahlenvergleiche in rsync
ID: CSSA-2002-003.0
Distribution: Caldera
Plattformen: Caldera eDesktop 2.4, Caldera eBuilder, Caldera eServer 2.3.1, Caldera 2.3, Caldera Server 3.1, Caldera Workstation 3.1, Caldera 3.1 IA64, Caldera Server 3.1.1, Caldera Workstation 3.1.1
Datum: Sa, 9. Februar 2002, 12:00
Referenzen: Keine Angabe
Applikationen: rsync

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera International, Inc. Security Advisory

Subject: Linux - Remote attack on rsync
Advisory number: CSSA-2002-003.0
Issue date: 2002, January 24
Cross reference:
______________________________________________________________________________


1. Problem Description

Sebastian Krahmer of SuSE discovered a vulnerability in rsync that
allows an attacker to modify memory of the rsync server process. There
is no know exploit yet, but this vulernability could be used against
servers providing downloads via anonymous rsync. Note that the problem
can also be exploited by a rogue server, attacking a client who uses
rsync.


2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
rsync-2.5.0-2

OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder rsync-2.5.0-2

OpenLinux eDesktop 2.4 All packages previous to
rsync-2.5.0-2

OpenLinux Server 3.1 All packages previous to
rsync-2.5.0-2

OpenLinux Workstation 3.1 All packages previous to
rsync-2.5.0-2

OpenLinux 3.1 IA64 All packages previous to
rsync-2.5.0-2

OpenLinux Server 3.1.1 All packages previous to
rsync-2.5.0-2

OpenLinux Workstation All packages previous to
3.1.1 rsync-2.5.0-2



3. Solution

Workaround

none

The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

5f24a0ddccec6d227bda592e770770c5 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm


5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

f1679a658eee7afc5cc5e223a0f019b4 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm


6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

319f52b332937a9ec9b6b3a84a1a2818 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm


7. OpenLinux 3.1 Server

7.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

7.2 Verification

6edac1d41d34f694ff64a9b363f76be0 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


7.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm


8. OpenLinux 3.1 Workstation

8.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

The corresponding source code package can be found at:

SRPMS

8.2 Verification

6edac1d41d34f694ff64a9b363f76be0 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


8.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm


9. OpenLinux 3.1 IA64

9.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/IA64/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/IA64/current/SRPMS

9.2 Verification

35254e165135c1e1d08816432a04f132 RPMS/rsync-2.5.0-2.ia64.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


9.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.ia64.rpm


10. OpenLinux 3.1.1 Server

10.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

10.2 Verification

bc2612d7b204fbeef936e24ec8afe0b6 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


10.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm


11. OpenLinux 3.1.1 Workstation

11.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

RPMS

The corresponding source code package can be found at:

SRPMS

11.2 Verification

bc2612d7b204fbeef936e24ec8afe0b6 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm


11.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh rsync-2.5.0-2.i386.rpm



12. References

This and other Caldera security resources are located at:

http://www.caldera.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 11350.


13. Disclaimer

Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.

14. Acknowledgements

Caldera International wishes to thank Sebastian Krahmer of SuSE for his
thorough security review, and for sharing his finding.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8X8JV18sy83A/qfwRAuQ4AKChuNxFkSa8D1tTPpEizbuHpA9qbwCfWL/B
WKmA3JGKIZ3rowplXTEL7DM=
=8c0p
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung