lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050410215918.11960.qmail@scubaninja.com>
Date: Sun Apr 10 23:21:49 2005
From: security at rsnapshot.org (security@...apshot.org)
Subject: rsnapshot Security Advisory 001

============================================================================
rsnapshot Security Advisory 001                       security@...apshot.org
http://www.rsnapshot.org/security/
Apr 10th, 2005                                             Nathan Rosenquist
============================================================================

  Severity:      high
  Vulnerability: local privilege escalation
  Fix provided:  yes

-------------
1) Background
-------------

rsnapshot is a filesystem snapshot utility for making backups of local and
remote systems.

Using rsync and hard links, it is possible to keep multiple, full backups
instantly available. The disk space required is just a little more than the
space of one full backup, plus incrementals.

----------------------
2) Problem description
----------------------

The copy_symlink() subroutine in rsnapshot incorrectly changes file
ownership on the files pointed to by symlinks, not on the symlinks
themselves. This would allow, under certain circumstances, an arbitrary
user to take ownership of a file on the main filesystem.

This subroutine is called under the following circumstances:

  a) If the cmd_cp parameter has NOT been enabled, OR

  b) If the backup_script parameter is set, and the backup script
     generates symlinks as part of its output

  c) AND if the attacker can create symlinks in a directory that is backed
     up, either by creating them directly or influencing a backup script.

This vulnerability has been fixed in rsnapshot versions 1.1.7 and 1.2.1.
It is recommended that all users upgrade immediately.

-----------------------
3) Upgrade Instructions
-----------------------

For users of rsnapshot 1.2.0, download and install version 1.2.1.

For users of rsnapshot 1.1.6 or earlier, download and install version
1.1.7.

  ---------------
  rsnapshot 1.2.1
  ---------------
  http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz
  http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz.asc

  http://www.rsnapshot.org/downloads/rsnapshot-1.2.1-1.noarch.rpm
  http://www.rsnapshot.org/downloads/rsnapshot-1.2.1-1.noarch.rpm.asc

  http://www.rsnapshot.org/downloads/rsnapshot_1.2.1-1_all.deb
  http://www.rsnapshot.org/downloads/rsnapshot_1.2.1-1_all.deb.asc

  ---------------
  rsnapshot 1.1.7
  ---------------
  http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz
  http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz.asc

  http://www.rsnapshot.org/downloads/rsnapshot-1.1.7-1.noarch.rpm
  http://www.rsnapshot.org/downloads/rsnapshot-1.1.7-1.noarch.rpm.asc

  http://www.rsnapshot.org/downloads/rsnapshot_1.1.7-1_all.deb
  http://www.rsnapshot.org/downloads/rsnapshot_1.1.7-1_all.deb.asc

--------------
4) Workarounds
--------------

Enable the cmd_cp parameter (requires GNU cp, and works best on Linux).

Make sure any scripts specified by the backup_script parameter do not
create symlinks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ