On Thu 30 Aug 2007, [EMAIL PROTECTED] wrote: > Thu, 30 Aug 2007 01:41:01 -0400, danno wrote:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091 > > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4091 > > SUSE has provided fixed RPMs for SUSE 10.0 - 10.2 some days ago. > But rsync's cvs sources do not contain the string "4091", yet. While preparing an update for Debian due to this issue, I contacted Wayne and he informed me that the CVS version doesn't have this issue (it was already fixed prior to the alert), so there's little chance of the CVE number being mentioned in the CVS logs... In other words, absence of the string "4091" doesn't mean the CVS version is vulnerable. He also gave a patch for 2.6.9 that was much simpler than the one published in connection with this alert: --- rsync-2.6.9/flist.c 2006-10-13 18:17:36.000000000 -0700 +++ flist.c 2007-08-15 14:28:59.000000000 -0700 @@ -735,7 +735,7 @@ struct file_struct *make_file(char *fnam lastdir_len = -1; if (strlcpy(thisname, fname, sizeof thisname) - >= sizeof thisname - flist_dir_len) { + >= sizeof thisname - flist_dir_len - 1) { rprintf(FINFO, "skipping overly long name: %s\n", fname); return NULL; } Paul Slootman -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
