Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-misc/rsync |
||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-misc/rsync Package Version: [cpe:/a:samba:rsync:3.1.2] Advisory: CVE-2017-16548 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-16548 CVSS severity score: 7.5/10.0 Confidence: high Description: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
,
Nov 30 2017
Here is the patch that fixes the issue: https://git.samba.org/rsync.git/?p=rsync.git;a=commitdiff;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1;hp=bc112b0e7feece62ce98708092306639a8a53cce
,
Nov 30 2017
Hey Lutz, it looks like we bring in rsync via samba can you take a look to make sure this is fixed on ToT?
,
Nov 30 2017
the lakitu guys handled this via b/69896276: https://chromium-review.googlesource.com/797673
,
Dec 1 2017
,
Mar 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by allenwebb@chromium.org
, Nov 30 2017Owner: allenwebb@chromium.org
Status: Assigned (was: Untriaged)