CVE-2014-9512
Published: 12 February 2015
rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.
Priority
Status
Package | Release | Status |
---|---|---|
rsync Launchpad, Ubuntu, Debian |
Upstream |
Released
(3.1.2)
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(3.1.1-3ubuntu1)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(3.1.0-2ubuntu0.2)
|
|
Patches: Upstream: https://git.samba.org/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b Upstream: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9 |
Notes
Author | Note |
---|---|
mdeslaur | rsync 3.1.1 introduced invalid filename filtering to prevent malicious servers from sending files outside of the specified directory: https://git.samba.org/?p=rsync.git;a=commit;h=4cad402ea8a91031f86c53961d78bb7f4f174790 CVE-2014-9512 is about malicious servers being able to bypass that filtering by changing paths. This is a security hardening feature that was added in 3.1.1. Either the whole feature needs to be backported to versions earlier than 3.1.1, or this issue doesn't apply to them. a second commit was later added: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9 packages in vivid+ claim that this CVE is fixed, but are missing the second commit |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9512
- http://xteam.baidu.com/?p=169
- https://usn.ubuntu.com/usn/usn-2879-1
- NVD
- Launchpad
- Debian