ID CVE-2007-4091
Summary Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function.
References
Vulnerable Configurations
  • cpe:2.3:a:rsync:rsync:2.6.9
    cpe:2.3:a:rsync:rsync:2.6.9
CVSS
Base: 6.8 (as of 16-08-2007 - 04:45)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1360.NASL
    description Sebastian Krahmer discovered that rsync, a fast remote file copy program, contains an off-by-one error which might allow remote attackers to execute arbitrary code via long directory names.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25960
    published 2007-09-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25960
    title Debian DSA-1360-1 : rsync - buffer overflow
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-335-01.NASL
    description New rsync packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 29188
    published 2007-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29188
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 / current : rsync (SSA:2007-335-01)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_RSYNC-3996.NASL
    description An off by one buffer overflow within the f_name() function has been fixed. CVE-2007-4091 has been assigned to this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27420
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27420
    title openSUSE 10 Security Update : rsync (rsync-3996)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-500-1.NASL
    description Sebastian Krahmer discovered that rsync contained an off-by-one miscalculation when handling certain file paths. By creating a specially crafted tree of files and tricking an rsync server into processing them, a remote attacker could write a single NULL to stack memory, possibly leading to arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28103
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28103
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : rsync vulnerability (USN-500-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200709-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-200709-13 (rsync: Two buffer overflows) Sebastian Krahmer from the SUSE Security Team discovered two off-by-one errors in the function 'f_name()' in file sender.c when processing overly long directory names. Impact : A remote attacker could entice a user to synchronize a repository containing specially crafted directories, leading to the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 26103
    published 2007-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26103
    title GLSA-200709-13 : rsync: Two buffer overflows
  • NASL family SuSE Local Security Checks
    NASL id SUSE_RSYNC-3997.NASL
    description An off by one buffer overflow within the f_name() function has been fixed. CVE-2007-4091 has been assigned to this issue.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29569
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29569
    title SuSE 10 Security Update : rsync (ZYPP Patch Number 3997)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15548.NASL
    description Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78193
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78193
    title F5 Networks BIG-IP : Rsync sender.c vulnerability (SOL15548)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_AF8E3A0C500911DC8A43003048705D5A.NASL
    description BugTraq reports : The rsync utility is prone to an off-by-one buffer-overflow vulnerability. This issue is due to a failure of the application to properly bounds-check user-supplied input. Successfully exploiting this issue may allow arbitrary code-execution in the context of the affected utility.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25942
    published 2007-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25942
    title FreeBSD : rsync -- off by one stack overflow (af8e3a0c-5009-11dc-8a43-003048705d5a)
refmap via4
bid 25336
bugtraq 20070823 FLEA-2007-0047-1 rsync
confirm
debian DSA-1360
gentoo GLSA-200709-13
secunia
  • 26493
  • 26518
  • 26537
  • 26543
  • 26548
  • 26634
  • 26822
  • 26911
  • 27896
  • 61039
slackware SSA:2007-335-01
suse SUSE-SR:2007:017
trustix 2007-0026
ubuntu USN-500-1
vupen ADV-2007-2915
xf rsync-fname-bo(36072)
statements via4
contributor Mark J Cox
lastmodified 2007-08-22
organization Red Hat
statement Not vulnerable. This flaw did not affect Red Hat Enterprise Linux 2.1, 3, or 4 due to the version of rsync. This flaw does exist in Red Hat Enterprise Linux 5, but due to the nature of the flaw it is not exploitable with any security consequence due to stack-protector.
Last major update 06-01-2017 - 21:59
Published 15-08-2007 - 20:17
Last modified 15-10-2018 - 17:33
Back to Top