Network Security Audits / Vulnerability Assessments by SecuritySpace

Vulnerability Search		Search 219043 CVE descriptions and 99761 test descriptions, access 10,000+ cross references.
	Tests CVE All

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
   Turbolinux Security Advisory TLSA-2003-67
   http://www.turbolinux.co.jp/security/
                                             security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date : 06 Dec 2003
Last revised           : 06 Dec 2003

Package : rsync

Summary : Heap overflow

More information :
    rsync uses the "rsync algorithm" which provides a very fast method for
    bringing remote files into sync. It does this by sending just the
    differences in the files across the link, without requiring that both
    sets of files are present at one of the ends of the link beforehand.
    Rsync version 2.5.6 and earlier contains a heap overflow vulnerability
    that can be used to remotely run arbitrary code.

    Please note that this vulnerability only affects the use of rsync as a "rsync server".

Impact :
    This vulnerability may allow remote third party to gain the root privileges.

Affected Products :
    - Turbolinux 10 Desktop
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation
    - Turbolinux 7 Server
    - Turbolinux 7 Workstation
    - Turbolinux Server 6.5
    - Turbolinux Advanced Server 6
    - Turbolinux Server 6.1
    - Turbolinux Workstation 6.0

Solution :
    Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
   zabom-1.x
# zabom update rsync
   zabom-2.x
# zabom -u rsync
---------------------------------------------

<Turbolinux 10 Desktop>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 499768bcd5851f5dede0a9aaed9f67fd

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/rsync-2.5.7-1.i586.rpm
       142068 fba3ab5d577b7eab1818c3d41e6ce13d

<Turbolinux 8 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 d4c79a6aba4e8a7b17d8940d6b6e1f87

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/rsync-2.5.7-1.i586.rpm
       140316 10b89f1b0c3db89ee56dc9b735b4effa

<Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 5b521abb17456fadded17f054bd9a5b4

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/rsync-2.5.7-1.i586.rpm
       140308 6c9f1e54680ea18d6c885fb1bfe8d924

<Turbolinux 7 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 da512bcc0862905542870ede94d4518c

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/rsync-2.5.7-1.i586.rpm
       136728 fe9fd94d15842c3e6344811501329205

<Turbolinux 7 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 e7e10e4efe32ed6d0308c332b11df197

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/rsync-2.5.7-1.i586.rpm
       136761 10f48e8a8ffa4fe9318f277767ad03ed

<Turbolinux Server 6.5>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 83ded0d90cde0b0a5e1376e468faaa42

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/rsync-2.5.7-1.i386.rpm
       136619 b8186c802c41974daf566bc01fbd9e9b

<Turbolinux Advanced Server 6>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 c0bd7ffb38fff1d788ae7056915acb28

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm
       136611 f6fb180f6652671a6f2627065d2c40cd

<Turbolinux Server 6.1>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 80d975cc6e84edb7da14d8566e4b7fe0

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm
       136599 70d6d5c3e4a227803ea48a2be5af324b

<Turbolinux Workstation 6.0>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm
       454497 081ea78c2a4f089c452fe0a5094b68fa

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm
       136607 519b6825e9f917487a8c884b5b1a9006

References :

rsync
   http://rsync.samba.org/

CVE
   [CAN-2003-0962]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962

--------------------------------------------------------------------------
Revision History
    06 Dec 2003 Initial release
--------------------------------------------------------------------------

Copyright(C) 2003 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/0KKCK0LzjOqIJMwRAsisAJ9uMP9qkOFjr8vnGS/ES0IRoZ2KqgCff09d
EdAMiAXBEboAPh9gvO9+YtE=
=6ErL
-----END PGP SIGNATURE-----