Vulnerability Discovered in Rsync

Aug 17, 2007

A critical vulnerability has been discovered in the Rsync file synchronization tool.

An error in the "f_name()" function in the "flist.c" source code file can lead to a stack-based buffer overflow when faced with over length directory names. Under unfavorable circumstances an attacker might be able to execute arbitrary code. The vulnerability, which has been assigned the CVE ID CVE-2007-4091, affects Rsync version 2.6.9 and possibly others. The issue was discovered by Sebastian Krahmer from the Suse Security Team, and disclosed in Krahmer's blog.

An initial update and a patch that removes the vulnerability are already available. Users of Suse Linux can update using the online updater. Users with other systems can patch the source code and build a fix. Users that do not have either of these options are advised to restrict use of Rsync to trusted environments.

Related content

comments powered by Disqus

Issue 234/2020

Buy this issue as a PDF

Digital Issue: Price $12.99
(incl. VAT)

News

Tag Cloud

Administration Community Desktop Events Hardware Linux Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source