[MBT] new ticket for pkg rsync "Unclear if zlib fix + setgroup fix are applied"
bugs at pld.org.pl
bugs at pld.org.pl
Fri Feb 28 15:25:55 CET 2003
Date: 2003-02-28 15:25:55+01 Author: (kreutzm) <kreutzm at itp.uni-hannover.de>
Title: Unclear if zlib fix + setgroup fix are applied
Ticket ID: #585
Ticket URL: http://bugs.pld.org.pl/?bug=585
Package: rsync-2.5.5-2
Distribution: PLD-Ra.main PLD-1.0.devel.main PLD-1.0.devel.test PLD-1.0.devel.supported
Category: security problem
Current state: opened
Text:
Citing from [RHSA-2002:026-35] (March 2002):
rsync: rsync is a program for synchronizing files over a network. rsync uses a modified version of zlib internally. These errata packages patch this internal version of zlib.
The rsync update package also fixes another security issue where rsync did not call setgroups() before dropping the privileges of the connecting user. Hence, it is possible for users to retain the group IDs of any supplemental groups that rsync was started in (for example, supplementary groups of the
root user), allowing users to access files they may not otherwise be able to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to this issue. CAN-2002-0080
More information about the pld-bugs
mailing list