Vulnerability Discovered in Rsync

Aug 17, 2007

A critical vulnerability has been discovered in the Rsync file synchronization tool.

An error in the "f_name()" function in the "flist.c" source code file can lead to a stack-based buffer overflow when faced with over length directory names. Under unfavorable circumstances an attacker might be able to execute arbitrary code. The vulnerability, which has been assigned the CVE ID CVE-2007-4091, affects Rsync version 2.6.9 and possibly others. The issue was discovered by Sebastian Krahmer from the Suse Security Team, and disclosed in Krahmer's blog.

An initial update and a patch that removes the vulnerability are already available. Users of Suse Linux can update using the online updater. Users with other systems can patch the source code and build a fix. Users that do not have either of these options are advised to restrict use of Rsync to trusted environments.

Related content

  • Security Bugs in Kernel and Rsync

    Security researchers at Secunia have reported two security bugs in the Rsync synchronization tool and one in the current Linux kernel.

  • Update Closes Rsync Vulnerability

    Distributions such as Ubuntu and Debian are currently in the process of issuing updates to their users to remove a problem with the Rsync tool.

  • CUPS Vulnerability Allows Attackers to Execute Code

    Security researchers at Secunia have discovered a vulnerability in the Cups printing system.

  • Local Root Exploit in Udev

    The udev subsystem allows the Linux kernel, together with a userland program, to manage device nodes dynamically, adding and removing them at will. It has now been revealed that the communication channel between the kernel and program fails to authenticate, so that users can assume root privileges.

  • SQL Queries Make Staroffice Vulnerable

    Security researchers Secunia have discovered a vulnerability in StarOffice that gives attackers the ability to execute arbitrary code. The developers of the free counterpart, OpenOffice, removed the problem last week.

comments powered by Disqus

Issue 170/2015

Buy this issue as a PDF

Digital Issue: Price $9.99
(incl. VAT)

News