[LWN Logo]

Date: Fri, 30 Apr 1999 11:29:51 -0600
From: Caldera Systems Information <info@calderasystems.com>
To: caldera-announce@rim.caldera.com
Subject: SECURITY [CSSA-1999:010.0] -- rsync may change directory permissions inadvertently

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		rsync may change directory permissions inadvertently
Advisory number: 	CSSA-1999:010.0
Issue date: 		1999 Apr 30
Cross reference: 
______________________________________________________________________________


1. Problem Description

   There's a security problem with rsync which can cause
   the permissions of an users home directory to be changed.
   The bug is fairly obscure, but it's fixed in ver 2.3.1


   The problem happens if all of these conditions hold true:
 
   1) the source file list contains exactly one filename and that
      is the name of an empty directory
   2) the source directory name is specified on the command line
      as "somedir/" or "somedir/." or "." not as "somedir"
   3) the destination directory doesn't exist
   4) you have recursion and permission transfer enabled (the -a option
      will do this)
   5) the working directory of the receiving process is not the
      destination directory (this happens when you do remote rsync
      transfers)
 
   (the short summary is that you need to be transferring an empty
   directory into a non-existent directory)
 
   In that case (which is quite rare) the permissions from the empty
   directory in the source file list were set on the working directory of
   the receiving process. In the case of a remote rsync over rsh or ssh
   this means that the permissions on your home directory are changed to
   those of the empty directory you are transferring.
 
   This is a serious bug (and security hole) as it may change your home
   directory permissions to allow other users access to your files. A
   user can't exploit this hole deliberately to gain privileges (ie. this
   is not an "active" security hole) but a system administrator could
   easily be caught by the bug and inadvertently compromise the security
   of their system.
 
   To see if you have been hit by this bug you should look at the
   permissions on your home directory. If they are not what you expect
   then perhaps you have been bitten by this bug.
 
   The fix is to chmod your home directory back to the correct
   permissions and upgrade to rsync 2.3.1. The bug is in the receiving
   side of rsync, so it is quite safe to continue to use older anonymous
   rsync servers as long as you upgrade your client.
 
   This bug has been present in all versions of rsync.
   

2. Vulnerable Versions

   Systems: 	OpenLinux 1.0, 1.1, 1.2, 1.3, 2.2.
   Packages: 	previous to rsync-2.3.1


3. Solutions

   The proper solution is to upgrade to the rsync-2.3.1-1.i386.rpm

4. Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.2/current/SRPMS


5. Installing Fixed Packages

   Upgrade the affected packages with the following commands:

   rpm -q rsync && rpm -U rsync-2.3.1-1.i386.rpm


6. Verification

   The MD5 checksums (from the "md5sum" command) for these packages are:

   76a89fabb96e61adb1df5c14d955c08b  RPMS/rsync-2.3.1-1.i386.rpm
   c16447d52d0166ab94666f2a4c1b9984  SRPMS/rsync-2.3.1-1.src.rpm


7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/news/security/index.html
  
   Additional documentation on this problem can be found in:
  

   This security fix closes Caldera's internal Problem Report 4509.


8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNylzeen+9R4958LpAQF2hwQAq3E7kEh2LRDFnDa/E9FuK+0ArNqUEgr8
rJ5EU8sgwaA9IGNRja19op1Ak/SCK4GYohPvYpoR6tSa0P+C7McrCpO0S0fS2bQg
XiXyrbndb5erlnPjxJLFeozXtn1vIZ2jFI7Y4TvI/kQlsWbxqUAoM6tH1diHia6Z
mbQFM4fHD5Q=
=brbM
-----END PGP SIGNATURE-----
-
Notes: To learn how to use this list server, email a "help" command to
majordomo@rim.caldera.com.