Package name rsync
Date April 11th, 2008
Advisory ID MDVSA-2008:084
Affected versions CS3.0, 2007.0, CS4.0, 2007.1, 2008.0, 2008.1
Synopsis Updated rsync packages fix vulnerability

Problem Description

Sebastian Krahmer of SUSE discovered that rsync could overflow when
handling ACLs. An attakcer could construct a malicious set of files
that, when processed, could lead to arbitrary code execution or a crash
(CVE-2008-1720).

The updated packages have been patched to correct this issue.

Updated Packages

Corporate Server 3.0

 0ec10ce483edb010b3fa914de3a249d5  corporate/3.0/i586/rsync-2.6.9-4.2.C30mdk.i586.rpm 
 03e2cc506c2df32dcecddfc005aaefe9  corporate/3.0/SRPMS/rsync-2.6.9-4.2.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 242602d0ff175c4ef6a36bcf0f2fc544  corporate/3.0/x86_64/rsync-2.6.9-4.2.C30mdk.x86_64.rpm 
 03e2cc506c2df32dcecddfc005aaefe9  corporate/3.0/SRPMS/rsync-2.6.9-4.2.C30mdk.src.rpm

Mandriva Linux 2007

 015dee0e8b724a60a702aac81194128b  2007.0/i586/rsync-2.6.9-5.2mdv2007.0.i586.rpm 
 da32538186f22095454d5fd905c43f18  2007.0/SRPMS/rsync-2.6.9-5.2mdv2007.0.src.rpm

Mandriva Linux 2007/X86_64

 6c40f172781c4b6e8e29afea66eceda5  2007.0/x86_64/rsync-2.6.9-5.2mdv2007.0.x86_64.rpm 
 da32538186f22095454d5fd905c43f18  2007.0/SRPMS/rsync-2.6.9-5.2mdv2007.0.src.rpm

Corporate Server 4.0

 436bcca45d69c4ad6bd662c9554b21b3  corporate/4.0/i586/rsync-2.6.9-4.2.20060mlcs4.i586.rpm 
 59a9aacffd74793315403ea016e4cd80  corporate/4.0/SRPMS/rsync-2.6.9-4.2.20060mlcs4.src.rpm

Corporate Server 4.0/X86_64

 105b47b006fc912edb42fc5ff170b89a  corporate/4.0/x86_64/rsync-2.6.9-4.2.20060mlcs4.x86_64.rpm 
 59a9aacffd74793315403ea016e4cd80  corporate/4.0/SRPMS/rsync-2.6.9-4.2.20060mlcs4.src.rpm

Mandriva Linux 2007.1

 c9ca16a3e8d078ff91544bed44adf29a  2007.1/i586/rsync-2.6.9-5.2mdv2007.1.i586.rpm 
 e2fd457f3d5b29d2e0ff2e90103edf52  2007.1/SRPMS/rsync-2.6.9-5.2mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64

 04f27441429d634ac818987560a4c84b  2007.1/x86_64/rsync-2.6.9-5.2mdv2007.1.x86_64.rpm 
 e2fd457f3d5b29d2e0ff2e90103edf52  2007.1/SRPMS/rsync-2.6.9-5.2mdv2007.1.src.rpm

Mandriva Linux 2008.0

 a94efaeca944875ae05ae4ed6258db87  2008.0/i586/rsync-2.6.9-5.2mdv2008.0.i586.rpm 
 9b325b104fc1b0252103c1fd7d92b64e  2008.0/SRPMS/rsync-2.6.9-5.2mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64

 c1345a5a22eb0b15dc7975cb39ae75d3  2008.0/x86_64/rsync-2.6.9-5.2mdv2008.0.x86_64.rpm 
 9b325b104fc1b0252103c1fd7d92b64e  2008.0/SRPMS/rsync-2.6.9-5.2mdv2008.0.src.rpm

Mandriva Linux 2008.1

 303269d032057cf2188daa61c5a9514e  2008.1/i586/rsync-3.0.2-0.1mdv2008.1.i586.rpm 
 4d6d3d0908bd35a4151e9c05b848affc  2008.1/SRPMS/rsync-3.0.2-0.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64

 de82c38e7c764990cd8cec60907af8d0  2008.1/x86_64/rsync-3.0.2-0.1mdv2008.1.x86_64.rpm 
 4d6d3d0908bd35a4151e9c05b848affc  2008.1/SRPMS/rsync-3.0.2-0.1mdv2008.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1720

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.