Bug 11949 - A malicious sender can still use symlinks to overwrite files
Summary: A malicious sender can still use symlinks to overwrite files
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.1.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
Depends on:
Reported: 2016-06-03 11:59 UTC by Vitezslav Cizek
Modified: 2016-06-06 09:01 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Vitezslav Cizek 2016-06-03 11:59:55 UTC
Commit 962f8b90045ab331fc04c9e65f80f1a53e68243b fixed an issue where malicious servers can utilize a just sent symlink to overwrite arbitrary files (CVE-2014-9512).
The check was implemented for the inc-recurse algorithm only.
An evil sender can bypass the check and still use the symlink vector by negotiating protocol < 30.
You might consider fixing this in the non-incremental recursive algorithm as well.
Comment 1 Wayne Davison 2016-06-04 18:31:33 UTC
You'll have to be more specific, since the fix was implemented in both inc-recursive and non-inc-recursive modes (in separate fixes). I tested --protocol=29 and --no-inc-recursive w/o issue (though the older protocol isn't good enough to make the error visible on a "push" (such as a local copy), since it doesn't retrieve remote errors like protocol 30 does when the remote side dies. You can see the error via --msgs2stderr, or just rely on the error's protocol-incompatibility exit error code.
Comment 2 Wayne Davison 2016-06-04 19:10:05 UTC
FYI, the other commit is: e12a6c087ca1eecdb8eae5977be239c24f4dd3d9
Comment 3 Vitezslav Cizek 2016-06-04 19:19:04 UTC
(In reply to Wayne Davison from comment #2)
Thanks, I just found the commit too, I completely missed it before.
I reproduced this on a patched 3.1.1, not 3.1.2, if I remember it correctly.
So this report is likely invalid, I'll verify it on Monday.
Thanks for your quick response.
Comment 4 Vitezslav Cizek 2016-06-06 09:01:50 UTC
(In reply to Wayne Davison from comment #2)
The commit (https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9) indeed fixes the issue for the older recursive algorithm.