Rsync 3.4 Brings Patches for Six Security Vulnerabilities

Rsync 3.4 debuts with patches for six security flaws, including buffer overflow and symlink handling issues, plus improved compatibility and CI updates.
Rsync 3.4 Brings Patches for Six Security Vulnerabilities

The widely used file-synchronization tool Rsync has just released its latest version, 3.4, addressing six vulnerabilities that affect Rsync v3.3 and below.

CVE-2024-12084: A heap-based buffer overflow flaw was identified in the rsync daemon. It happens when a malicious checksum length exceeds 16 bytes, allowing attackers to write data out of bounds.

CVE-2024-12085: A flaw in the rsync daemon appears during file checksum comparisons. Attackers can manipulate checksum lengths to compare with uninitialized memory, leaking one byte of stack data at a time.

CVE-2024-12086: A flaw in rsync could let a malicious server read files from a client’s machine. By sending specially crafted checksums during file copy, attackers can reconstruct file contents byte-by-byte.

CVE-2024-12087: A path traversal flaw in rsync allows a malicious server to write files outside the intended directory. This results from the “–inc-recursive” option and inadequate symlink checks.

CVE-2024-12088: A flaw in rsync’s “–safe-links” option fails to verify nested symlinks. This can lead to path traversal and writing files outside the expected directory.

CVE-2024-12747: A race condition in rsync’s symlink handling can bypass its default link-skipping. If an attacker replaces a regular file with a symlink at the right time, they can access sensitive information or escalate privileges.

Apart from that, Rsync 3.4 also includes the following noteworthy changes:

  • Resolved an issue related to a missing return type in the IPv6 check, ensuring smooth IPv6 functionality.
  • Moved the FreeBSD Continuous Integration (CI) pipeline to GitHub Actions.
  • Provided hints to enable a single proxy to manage both plain and SSL streams simultaneously.
  • Silenced compiler warnings about unused variables, thereby reducing clutter in the code.
  • Upgraded to Popt 1.19 for enhanced command-line parsing and improved consistency.
  • Added a script (“install_deps_ubuntu.sh“) to streamline the installation of required dependencies on Ubuntu systems.
  • Expanded coverage by incorporating a dedicated build target for Solaris, broadening operating system support.
  • Updated linker paths for Apple Silicon devices to ensure seamless compilation and linking.

Anyone using older Rsync versions should review the CVEs mentioned above and upgrade to the latest v3.4. For more information, see the changelog.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Related Posts