Summary: | Trail of Bits used the automated vulnerability discovery tools developed;for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast,;versatile, remote (and local) file-copying tool, uses an embedded copy of;zlib, those issues are also present in rsync.;;CVE-2016-9840;In order to avoid undefined behavior, remove offset pointer;optimization, as this is not compliant with the C standard.;;CVE-2016-9841;Only use post-increment to be compliant with the C standard.;;CVE-2016-9842;In order to avoid undefined behavior, do not shift negative values,;as this is not compliant with the C standard.;;CVE-2016-9843;In order to avoid undefined behavior, do not pre-decrement a pointer;in big-endian CRC calculation, as this is not compliant with the;C standard.;;CVE-2018-5764;Prevent remote attackers from being able to bypass the;argument-sanitization protection mechanism by ignoring --protect-args;when already sent by client. |
Description: | Summary: Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync.
CVE-2016-9840 In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard.
CVE-2016-9841 Only use post-increment to be compliant with the C standard.
CVE-2016-9842 In order to avoid undefined behavior, do not shift negative values, as this is not compliant with the C standard.
CVE-2016-9843 In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard.
CVE-2018-5764 Prevent remote attackers from being able to bypass the argument-sanitization protection mechanism by ignoring --protect-args when already sent by client.
Affected Software/OS: rsync on Debian Linux
Solution: For Debian 8 'Jessie', these problems have been fixed in version 3.1.1-3+deb8u2.
We recommend that you upgrade your rsync packages.
CVSS Score: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
|