UbuntuUpdates.org

Package "rsync"

Name: rsync

Description:

fast, versatile, remote (and local) file-copying tool

Latest version: 3.1.2-2.1ubuntu1.5
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://rsync.samba.org/

Links


Download "rsync"


Other versions of "rsync" in Bionic

Repository Area Version
base main 3.1.2-2.1ubuntu1
updates main 3.1.2-2.1ubuntu1.5

Changelog

Version: 3.1.2-2.1ubuntu1.5 2022-08-18 23:08:48 UTC

  rsync (3.1.2-2.1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: zlib buffer overflow when inflating certain gzip
    hearders.
    - debian/patches/CVE-2022-37434-1.patch: catches overflow in
      inflateGetHeader by enforcing buffer size.
    - debian/patches/CVE-2022-37434-2.patch: prevents NULL dereference
      regression previous patch introduced.
    - CVE-2022-37434

 -- Mark Esler <email address hidden> Tue, 16 Aug 2022 13:38:38 -0500

Source diff to previous version
CVE-2022-37434 zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only appl

Version: 3.1.2-2.1ubuntu1.4 2022-03-31 14:06:19 UTC

  rsync (3.1.2-2.1ubuntu1.4) bionic-security; urgency=medium

  * SECURITY UPDATE: memory corruption when zlib deflating
    - debian/patches/CVE-2018-25032-1.patch: fix a bug that can crash
      deflate on some input when using Z_FIXED in zlib/deflate.c,
      zlib/deflate.h.
    - debian/patches/CVE-2018-25032-2.patch: assure that the number of bits
      for deflatePrime() is valid in zlib/deflate.c.
    - CVE-2018-25032

 -- Marc Deslauriers <email address hidden> Wed, 30 Mar 2022 12:16:36 -0400

Source diff to previous version
CVE-2018-25032 zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Version: 3.1.2-2.1ubuntu1.1 2020-02-25 02:07:11 UTC

  rsync (3.1.2-2.1ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: improper pointer arithmetic might allow
    context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization
      in inftrees.c.
    - CVE-2016-9840
  * SECURITY UPDATE: improper pointer arithmetic might allow
    context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9841.patch: use post-increment only in inffast.c.
    - CVE-2016-9841
  * SECURITY UPDATE: vectors involving left shifts of negative integers might
    allow context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9842_1.patch: avoid shifts of negative values in
      inflateMark().
    - debian/patches/CVE-2016-9842_2.patch: avoid casting an out-of-range
      value to long.
    - CVE-2016-9842
  * SECURITY UPDATE: vectors involving big-endian CRC calculation might allow
    context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9843.patch: avoid pre-decrement of pointer in
      big-endian CRC calculation.
    - CVE-2016-9843

 -- Avital Ostromich <email address hidden> Tue, 18 Feb 2020 16:03:13 -0500

CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9841 inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9842 The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shi
CVE-2016-9843 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian C



About   -   Send Feedback to @ubuntu_updates