{"uuid": "d938dc28-6877-40db-ad5f-25f3051288e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "RSYNC: 6 vulnerabilities", "description": "# 6 vulnerabilities in rsync server\n\nAs published in [https://www.openwall.com/lists/oss-security/2025/01/14/3](https://www.openwall.com/lists/oss-security/2025/01/14/3)\n\nHello OSS-security,\n\nTwo independent groups of researchers have identified a total of 6\nvulnerabilities in rsync. In the most severe CVE, an attacker only requires\nanonymous read access to a rsync server, such as a public mirror, to\nexecute arbitrary code on the machine the server is running on.\n\nUpstream has prepared patches for these CVEs. These fixes will be included\nin rsync 3.4.0 which is to be released shortly.\n\nCVE Details:\n[1] Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling\n\nCVE ID: CVE-2024-12084\n\nCVSS 3.1: 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nDescription: A heap-based buffer overflow flaw was found in the rsync\ndaemon. This issue is due to improper handling of attacker-controlled\nchecksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the\nfixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the\nsum2 buffer.\n\nAffected Versions: >= 3.2.7 and < 3.4.0\nReporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel\nSpelman from Google\n\nMitigation: Disable SHA* support by compiling with\nCFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST.\n\n----------\n\n[2] Info Leak via Uninitialized Stack Contents\n\nCVE ID: CVE-2024-12085\n\nCVSS 3.1: 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\nDescription: A flaw was found in the rsync daemon which could be triggered\nwhen rsync compares file checksums. This flaw allows an attacker to\nmanipulate the checksum length (s2length) to cause a comparison between a\nchecksum and uninitialized memory and leak one byte of uninitialized stack\ndata at a time.\n\nAffected Versions: < 3.4.0\n\nReporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel\nSpelman from Google\n\nMitigation: Compile with -ftrivial-auto-var-init=zero to zero the stack\ncontents.\n\n----------\n\n[3] Rsync Server Leaks Arbitrary Client Files\n\nCVE ID: CVE-2024-12086\n\nCVSS 3.1: 6.1 - AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\n\nDescription: A flaw was found in rsync. It could allow a server to\nenumerate the contents of an arbitrary file from the client's machine. This\nissue occurs when files are being copied from a client to a server. During\nthis process, the rsync server will send checksums of local data to the\nclient to compare with in order to determine what data needs to be sent to\nthe server. By sending specially constructed checksum values for arbitrary\nfiles, an attacker may be able to reconstruct the data of those files\nbyte-by-byte based on the responses from the client.\n\nAffected Versions: < 3.4.0\n\nReporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel\nSpelman from Google\n\n----------\n\n[4] Path Traversal Vulnerability in Rsync\n\nCVE ID: CVE-2024-12087\n\nCVSS 3.1: 6.5 - AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\n\nDescription: A path traversal vulnerability exists in rsync. It stems from\nbehavior enabled by the `--inc-recursive` option, a default-enabled option\nfor many client options and can be enabled by the server even if not\nexplicitly enabled by the client. When using the `--inc-recursive` option,\na lack of proper symlink verification coupled with deduplication checks\noccurring on a per-file-list basis could allow a server to write files\noutside of the client's intended destination directory. A malicious server\ncould write malicious files to arbitrary locations named after valid\ndirectories/paths on the client.\n\nAffected Versions: < 3.4.0\nReporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel\nSpelman from Google\n\n----------\n\n[5] --safe-links Option Bypass Leads to Path Traversal\n\nCVE ID: CVE-2024-12088\n\nCVSS 3.1: 6.5 - AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\n\nDescription: A flaw was found in rsync. When using the `--safe-links`\noption, rsync fails to properly verify if a symbolic link destination\ncontains another symbolic link within it. This results in a path traversal\nvulnerability, which may lead to arbitrary file write outside the desired\ndirectory.\n\nAffected Versions: < 3.4.0\n\nReporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel\nSpelman from Google\n\n----------\n\n[6] Race Condition in Rsync Handling Symbolic Links\n\nCVE ID: CVE-2024-12747\n\nCVSS 3.1: 5.6 - AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\n\nDescription: A flaw was found in rsync. This vulnerability arises from a\nrace condition during rsync's handling of symbolic links. Rsync's default\nbehavior when encountering symbolic links is to skip them. If an attacker\nreplaced a regular file with a symbolic link at the right time, it was\npossible to bypass the default behavior and traverse symbolic links.\nDepending on the privileges of the rsync process, an attacker could leak\nsensitive information, potentially leading to privilege escalation.\n\nAffected Versions: < 3.4.0\n\nReporters: Aleksei Gorban \"loqpa\"\n\nBest Regards,\n\nRed Hat Product Security\n\nNick Tait\n\nHe / Him (why?\n<https://medium.com/gender-inclusivit/why-i-put-pronouns-on-my-email-signature-and-linkedin-profile-and-you-should-too-d3dc942c8743>\n)\n\nIncident Commander - Product Security\n\n<https://www.redhat.com>\n<https://www.redhat.com>\n\nsecalert@...hat.com for urgent response. My working hours may not be your\nworking hours. Do not feel obligated to reply outside of your normal work\nschedule.\n\n", "creation_timestamp": "2025-01-14T19:20:59.611947+00:00", "timestamp": "2025-01-14T19:22:34.779124+00:00", "related_vulnerabilities": ["CVE-2024-12088", "CVE-2024-12087", "CVE-2024-12085", "CVE-2024-12084", "CVE-2024-12747", "CVE-2024-12086"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}