Ubuntu Security Notice USN-500-1
20th August, 2007
rsync vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 7.04
- Ubuntu 6.10
- Ubuntu 6.06 LTS
Details
Sebastian Krahmer discovered that rsync contained an off-by-one
miscalculation when handling certain file paths. By creating a specially
crafted tree of files and tricking an rsync server into processing them,
a remote attacker could write a single NULL to stack memory, possibly
leading to arbitrary code execution.
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 7.04:
- rsync 2.6.9-3ubuntu1.1
- Ubuntu 6.10:
- rsync 2.6.8-2ubuntu3.1
- Ubuntu 6.06 LTS:
- rsync 2.6.6-1ubuntu2.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.