CVE-2017-16548

Priority
Low
Description
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
does not check for a trailing '\0' character in an xattr name, which allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) or possibly have unspecified other impact by sending
crafted data to the daemon.
References
Bugs
Package
Source: rsync (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (3.0.9-1ubuntu1.3)
Ubuntu 14.04 LTS (Trusty Tahr):released (3.1.0-2ubuntu0.4)
Ubuntu 16.04 LTS (Xenial Xerus):released (3.1.1-3ubuntu1.2)
Ubuntu 17.10 (Artful Aardvark):released (3.1.2-2ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.1.2-2.1)
Patches:
Upstream:https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
More Information

Updated: 2018-06-26 05:02:03 UTC (commit 7799c934cca373482531a7b00e4dfe82302ceae5)