CVE-2008-1720

Summary

CVE	CVE-2008-1720
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-04-10 19:05:00 UTC
Updated	2023-02-13 02:19:00 UTC
Description	Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Samba	Rsync	2.6.9	All	All	All
Application	Samba	Rsync	2.7.0	All	All	All
Application	Samba	Rsync	2.7.1	All	All	All
Application	Samba	Rsync	2.7.2	All	All	All
Application	Samba	Rsync	2.7.3	All	All	All
Application	Samba	Rsync	2.7.4	All	All	All
Application	Samba	Rsync	2.7.5	All	All	All
Application	Samba	Rsync	2.7.6	All	All	All
Application	Samba	Rsync	2.7.7	All	All	All
Application	Samba	Rsync	2.7.8	All	All	All
Application	Samba	Rsync	2.7.9	All	All	All
Application	Samba	Rsync	2.8.0	All	All	All
Application	Samba	Rsync	2.8.1	All	All	All
Application	Samba	Rsync	2.8.2	All	All	All
Application	Samba	Rsync	2.8.3	All	All	All
Application	Samba	Rsync	2.8.4	All	All	All
Application	Samba	Rsync	2.8.5	All	All	All
Application	Samba	Rsync	2.8.6	All	All	All
Application	Samba	Rsync	2.8.7	All	All	All
Application	Samba	Rsync	2.8.8	All	All	All
Application	Samba	Rsync	2.8.9	All	All	All
Application	Samba	Rsync	2.9.0	All	All	All
Application	Samba	Rsync	2.9.1	All	All	All
Application	Samba	Rsync	2.9.2	All	All	All
Application	Samba	Rsync	2.9.3	All	All	All
Application	Samba	Rsync	2.9.4	All	All	All
Application	Samba	Rsync	2.9.5	All	All	All
Application	Samba	Rsync	2.9.6	All	All	All
Application	Samba	Rsync	2.9.7	All	All	All
Application	Samba	Rsync	2.9.8	All	All	All
Application	Samba	Rsync	2.9.9	All	All	All
Application	Samba	Rsync	3.0.0	All	All	All
Application	Samba	Rsync	3.0.1	All	All	All
Application	Samba	Rsync	2.6.9	All	All	All
Application	Samba	Rsync	2.7.0	All	All	All
Application	Samba	Rsync	2.7.1	All	All	All
Application	Samba	Rsync	2.7.2	All	All	All
Application	Samba	Rsync	2.7.3	All	All	All
Application	Samba	Rsync	2.7.4	All	All	All
Application	Samba	Rsync	2.7.5	All	All	All
Application	Samba	Rsync	2.7.6	All	All	All
Application	Samba	Rsync	2.7.7	All	All	All
Application	Samba	Rsync	2.7.8	All	All	All
Application	Samba	Rsync	2.7.9	All	All	All
Application	Samba	Rsync	2.8.0	All	All	All
Application	Samba	Rsync	2.8.1	All	All	All
Application	Samba	Rsync	2.8.2	All	All	All
Application	Samba	Rsync	2.8.3	All	All	All
Application	Samba	Rsync	2.8.4	All	All	All
Application	Samba	Rsync	2.8.5	All	All	All
Application	Samba	Rsync	2.8.6	All	All	All
Application	Samba	Rsync	2.8.7	All	All	All
Application	Samba	Rsync	2.8.8	All	All	All
Application	Samba	Rsync	2.8.9	All	All	All
Application	Samba	Rsync	2.9.0	All	All	All
Application	Samba	Rsync	2.9.1	All	All	All
Application	Samba	Rsync	2.9.2	All	All	All
Application	Samba	Rsync	2.9.3	All	All	All
Application	Samba	Rsync	2.9.4	All	All	All
Application	Samba	Rsync	2.9.5	All	All	All
Application	Samba	Rsync	2.9.6	All	All	All
Application	Samba	Rsync	2.9.7	All	All	All
Application	Samba	Rsync	2.9.8	All	All	All
Application	Samba	Rsync	2.9.9	All	All	All
Application	Samba	Rsync	3.0.0	All	All	All
Application	Samba	Rsync	3.0.1	All	All	All

References

Reference	Source	Link	Tags
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
[security-announce] SUSE Security Summary Report SUSE-SR:200?8:011	SUSE	lists.opensuse.org
Ubuntu update for rsync - Advisories - Secunia	SECUNIA	secunia.com
Webmail- OVH	VUPEN	www.vupen.com
[SECURITY] Fedora 7 Update: rsync-2.6.9-6.fc7	FEDORA	www.redhat.com
Support / Security / Advisories / / MDVSA-2008:084 \| Mandriva	MANDRIVA	www.mandriva.com
Debian -- Security Information -- DSA-1545-1 rsync	DEBIAN	www.debian.org
[SECURITY] Fedora 8 Update: rsync-2.6.9-5.fc8	FEDORA	www.redhat.com
SourceForge.net: SysAdmin Tools from ITeF!x: Files	CONFIRM	sourceforge.net
Mandriva update for rsync - Advisories - Secunia	SECUNIA	secunia.com
Rsync Buffer Overflow in Extended Attribute Support Code Lets Remote Users Execute Arbitrary Code - SecurityTracker	SECTRACK	www.securitytracker.com
[rsync-announce] Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9	MISC	www.mail-archive.com
44369	OSVDB	www.osvdb.org
USN-600-1: rsync vulnerability \| Ubuntu security notices	UBUNTU	usn.ubuntu.com
rsync "xattr" Integer Overflow Vulnerability - Advisories - Secunia	SECUNIA	secunia.com
rsync: Execution of arbitrary code — Gentoo Linux Documentation	GENTOO	security.gentoo.org
Rsync 'xattr' Support Integer Overflow Vulnerability	BID	www.securityfocus.com
cwRsync "xattr" Integer Overflow Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
Debian update for rsync - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
[rsync-announce] Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9	MLIST	www.mail-archive.com
Webmail - OVH	VUPEN	www.vupen.com
rsync	CONFIRM	samba.anu.edu.au	Patch
44368	OSVDB	www.osvdb.org
rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff	CONFIRM	rsync.samba.org	Patch
441683 – (CVE-2008-1720) CVE-2008-1720 rsync: integer overflow in xattr handling	MISC	bugzilla.redhat.com
CVE-2008-1720 - Red Hat Customer Portal	MISC	access.redhat.com
'[security bulletin] HPSBMA02447 SSRT090062 rev.1 - Insight Control Suite For Linux (ICE-LX) Cross Si' - MARC	HP	marc.info
Gentoo update for rsync - Advisories - Secunia	SECUNIA	secunia.com
Fedora update for rsync - Advisories - Secunia	SECUNIA	secunia.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2008-04-15	Joshua Bressers	Not vulnerable. This issue did not affect versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

There are currently no legacy QID mappings associated with this CVE.