ELA-95-1 rsync security update

several issues found

2019-03-24
Packagersync
Version3.0.9-4+deb7u3
Related CVEs CVE-2016-9840 CVE-2016-9841 CVE-2016-9843


Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync.

CVE-2016-9840 In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard.

CVE-2016-9841 Only use post-increment to be compliant with the C standard.

CVE-2016-9843 In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard.



For Debian 7 Wheezy, these problems have been fixed in version 3.0.9-4+deb7u3.

We recommend that you upgrade your rsync packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.