Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSA-2002-014.0-Linux: rsync supplementary groups vulnerability

CSSA-2002-014.0-Linux: rsync supplementary groups vulnerability

by Nikola Strahija on April 5th, 2002 Supplementary groups to which the rsync daemon belongs (such as root) were not removed from the server process before it performed work as an unprivileged uid and gid. The rsync daemon was also compiled with a vulnerable version of the zlib library. This package corrects both these issues.


2. Vulnerable Supported Versions

System Package
-----------------------------------------------------------

OpenLinux 3.1.1 Server prior to rsync-2.5.0-5.i386.rpm
prior to rsync-2.5.0-5.src.rpm

OpenLinux 3.1.1 Workstation prior to rsync-2.5.0-5.i386.rpm
prior to rsync-2.5.0-5.src.rpm


3. Solution

The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

2c8f978df12dabf073361c86f7012210 rsync-2.5.0-5.i386.rpm

4.2 Installation

Install the packages with the following sequence:

rpm -Fvh
rsync-2.5.0-5.i386.rpm

4.3 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

bffd618c0ad88252b35c33ac821253ad rsync-2.5.0-5.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

2c8f978df12dabf073361c86f7012210 rsync-2.5.0-5.i386.rpm

5.2 Installation

Install the packages with the following sequence:

rpm -Fvh
rsync-2.5.0-5.i386.rpm

5.3 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

bffd618c0ad88252b35c33ac821253ad rsync-2.5.0-5.src.rpm


6. References

Specific references for this advisory:
none


Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html

Caldera UNIX security resources:
http://stage.caldera.com/support/security/

This security fix closes Caldera incidents sr862089, fz520415,
and erg711995.


7. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.


8. Acknowledgements

Ethan Benson discovered and researched this vulnerability.

______________________________________________________________________________



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »