SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Rsync Vendors:   rsync.samba.org
Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008380
SecurityTracker URL:  http://securitytracker.com/id/1008380
CVE Reference:   CVE-2003-0962   (Links to External Site)
Date:  Dec 4 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.6 and prior versions
Description:   A vulnerability was reported in rsync. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can connect to a target server running rsync on TCP port 873 and send specially crafted data to execute arbitrary code. The code will run with the privileges of the rsync daemon.

Only systems that are running rsync in daemon mode are reportedly affected.

Impact:   A remote user can execute arbitrary code with the privileges of the rsync daemon.
Solution:   The vendor has released a fixed version (2.5.7) and also a patch for 2.5.6, available at:

http://rsync.samba.org/
http://samba.org/ftp/rsync/rsync-2.5.7.tar.gz
http://samba.org/ftp/rsync/rsync-2.5.6-2.5.7.diff.gz

Vendor URL:  rsync.samba.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 4 2003 (Slackware Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Slackware has released a fix.
Dec 4 2003 (Trustix Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Trustix has released a fix.
Dec 4 2003 (SuSE Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
SuSE has issued a fix.
Dec 4 2003 (Debian Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Debian has released a fix.
Dec 4 2003 (Red Hat Issues Fix for Red Hat Linux) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Linux.
Dec 4 2003 (Gentoo Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Gentoo has issued a fix.
Dec 5 2003 (Red Hat Issues Fix for Enterprise Linux) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux.
Dec 5 2003 (EnGarde Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Guardian Digital has released a fix.
Dec 5 2003 (OpenBSD Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
OpenBSD has released a fix.
Dec 5 2003 (Mandrake Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Dec 5 2003 (Conectiva Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Conectiva has released a fix.
Dec 11 2003 (SGI Issues Fix for SGI ProPack) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
SGI has issued a fix for SGI Advanced Linux Environment.
Dec 18 2003 (Turbolinux Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Turbolinux has issued a fix.
Dec 20 2003 (Apple Issues Fix) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
Apple has released a fix.
Mar 5 2004 (SCO Issues Fix for OpenLinux) Rsync Heap Overflow in Daemon Mode Lets Remote Users Execute Arbitrary Code
SCO has issued a fix for OpenLinux 3.1.1



 Source Message Contents

Subject:  rsync


It is reported that all versions of rsync prior to 2.5.7 contains a heap overflow.  A 
remote user can exceute arbitary code on the target system.  Only systems that are running 
rsync in daemon mode are affected.

CVE: CAN-2003-0962


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC