SuSE: 2003-050: rsync Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: rsync
Announcement-ID: SuSE-SA:2003:050
Date: Thursday, Dec 4th 2003 14:30 MET
Affected products: 7.3, 8.0, 8.1, 8.2, 9.0
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local privilege escalation
Severity (1-10): 4
SUSE default package: no
Cross References: CAN-2003-0962
Content of this advisory:
1) security vulnerability resolved: heap overflow
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- discontinue of SuSE Linux 7.3
- KDE
- mc
- apache
- screen
- mod_gzip
- unace
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The rsync suite provides client and server tools to easily support an
administrator keeping the files of different machines in sync.
In most private networks the rsync client tool is used via SSH to fulfill
his tasks. In an open environment rsync is run in server mode accepting
connections from many untrusted hosts with, but mostly without,
authentication.
The rsync server drops its root privileges soon after it was started and
per default creates a chroot environment.
Due to insufficient integer/bounds checking in the server code a heap
overflow can be triggered remotely to execute arbitrary code. This code
does not get executed as root and access is limited to the chroot
environment. The chroot environment maybe broken afterwards by abusing
further holes in system software or holes in the chroot setup.
Your are not vulnerable as long as you do not use rsync in server mode
or you use authentication to access the rsync server.
As a temporary workaround you can disable access to your rsync server for
untrusted parties, enable authentication or switch back to rsync via SSH.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
Intel i386 Platform:
SuSE-9.0:
e848708286572c8a793819e5a358274a
patch rpm(s):
d70f7726a2c8850a8c085bdbe9afbf27
source rpm(s):
45e14417a64704fcee1dfea390a5b3f6
SuSE-8.2:
341d1da31000831d994e48d0714b576d
patch rpm(s):
d94f1a84fc07e92dfc87471f909314c9
source rpm(s):
16b19cc2331ff577f2d1f9e116e74625
SuSE-8.1:
28799a5950666eb7f104e2831575fb3c
patch rpm(s):
02557d2de1dc27ffd97845ebabb336b6
source rpm(s):
6a7cd73509acf3cca12d9a4f4b3aec98
SuSE-8.0:
cf9fde4bcf1f3af3e3c5ae6bf5ceba85
patch rpm(s):
0a61425e9bb345fe73e42926408257cb
source rpm(s):
d5c29841ff1f387cb003c359eee868df
SuSE-7.3:
67b2400ee15d739e75a1463db7d003ca
source rpm(s):
ececccdf316a4d98c66315fc560eb9b1
Sparc Platform:
SuSE-7.3:
bd408eb2cfe82206439c78a1fbaecf60
source rpm(s):
e500422c7cf0dc39c6bb3cf2445d9998
SuSE-7.3:
7eebb018bce237a4f351f5e00761ead1
source rpm(s):
2dd16900d70cbf06454dcd52b822a0ae
______________________________________________________________________________
2) Pending vulnerabilities in SUSE Distributions and Workarounds:
- discontinue of SuSE Linux 7.3
Two years after the release, SUSE will discontinue providing updates
and security fixes for the SuSE Linux 7.3 consumer product on the
Intel i386 and the PPC Power PC architectures. Vulnerabilities found
after December 15th 2003 will not be fixed any more for SuSE Linux
7.3.
Directory structures referring to the SuSE Linux 7.3 release will be
moved to the discontinued/ tree on our main ftp server ftp.suse.com
the distribution directories first, followed by the update/ directory
tree in January 2004.
Please note that our SuSE Linux Enterprise Server family products have
a much longer support period. These products are not concerned by this
announcement.
- KDE
New KDE packages are currently being tested. These packages fixes
several vulnerabilities:
+ remote root compromise (CAN-2003-0690)
+ weak cookies (CAN-2003-0692)
+ SSL man-in-the-middle attack
+ information leak through HTML-referrer (CAN-2003-0459)
+ wrong file permissions of config files
The packages will be release as soon as testing is finished.
- mc
By using a special combination of links in archive-files it is possible
to execute arbitrary commands while mc tries to open it in its VFS.
The packages are currently tested and will be release as soon as
possible.
- apache1/2
The widely used HTTP server apache has several security vulnerabilities:
- locally exploitable buffer overflow in the regular expression code.
The attacker must be able to modify .htaccess or httpd.conf.
(affects: mod_alias and mod_rewrite)
- under some circumstances mod_cgid will output its data to the
wrong client (affects: apache2)
Update packages are available on our FTP servers.
- freeradius
Two vulnerabilities were found in the FreeRADIUS package.
The remote denial-of-service attack bug was fixed and new packages
will be released as soon as testing was successfully finished.
The other bug is a remote buffer overflow in the module rlm_smb.
We do not ship this module and will fix it for future releases.
- screen
A buffer overflow in screen was reported. Since SuSE Linux 8.0
we do not ship screen with the s-bit anymore. An update package
will be released for 7.3 as soon as possible.
- mod_gzip
The apache module mod_gzip is vulnerable to remote code execution
while running in debug-mode. We do not ship this module in debug-mode
but future versions will include the fix.
Additionally the mod_gzip code was audited to fix more possible security
related bugs.
- unace
The tool unace for handling the archive format ACE is vulnerable to
a buffer overflow that can be triggered with long file-names as command
line argument. This only affects unace version 2.5. Unfortunately this
tool is provided closed source only from the author. Therefore we are
unable to check for other bugs or look at the patch.
Update packages are available from our FTP servers.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References
