Univention Bugzilla – Bug 49093
rsync: Multiple issues (4.2)
Last modified: 2019-03-27 16:44:53 CET
New Debian rsync 3.1.1-3+deb8u2A~4.2.5.201903260804 fixes: This update addresses the following issues: * Out-of-bounds pointer arithmetic in inftrees.c (CVE-2016-9840) * Out-of-bounds pointer arithmetic in inffast.c (CVE-2016-9841) * Undefined left shift of negative number (CVE-2016-9842) * Big-endian out-of-bounds pointer (CVE-2016-9843) * sanitization bypass in parse_argument in options.c (CVE-2018-5764)
--- mirror/ftp/4.2/unmaintained/4.2-4/source/rsync_3.1.1-3+deb8u1A~4.2.3.201801251012.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/rsync_3.1.1-3+deb8u2A~4.2.5.201903260804.dsc @@ -1,7 +1,26 @@ -3.1.1-3+deb8u1A~4.2.3.201801251012 [Thu, 25 Jan 2018 10:20:24 +0100] Univention builddaemon <buildd@univention.de>: +3.1.1-3+deb8u2A~4.2.5.201903260804 [Tue, 26 Mar 2019 08:04:31 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 01_dirs_update_option + +3.1.1-3+deb8u2 [Sun, 24 Mar 2019 19:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>: + + * Non-maintainer upload by the LTS Team. + * CVE-2016-9840 + In order to avoid undefined behavior, remove offset pointer + optimization, as this is not compliant with the C standard. + * CVE-2016-9841 + Only use post-increment to be compliant with the C standard. + * CVE-2016-9842 + In order to avoid undefined behavior, do not shift negative values, + as this is not compliant with the C standard. + * CVE-2016-9843 + In order to avoid undefined behavior, do not pre-decrement a pointer in + big-endian CRC calculation, as this is not compliant with the C standard. + * CVE-2018-5764 + Prevent remote attackers from being able to bypass the + argument-sanitization protection mechanism by ignoring --protect-args + when already sent by client. 3.1.1-3+deb8u1 [Sun, 10 Dec 2017 14:08:49 +0100] Salvatore Bonaccorso <carnil@debian.org>: <http://10.200.17.11/4.2-5/#2975977654560436824>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] ca5e62dd3f Bug #49093: rsync 3.1.1-3+deb8u2A~4.2.5.201903260804 doc/errata/staging/rsync.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.2-5] 99950126ff Bug #49093: rsync 3.1.1-3+deb8u2A~4.2.5.201903260804 doc/errata/staging/rsync.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)
<http://errata.software-univention.de/ucs/4.2/625.html>