Skip to content

update: net-misc/rsync #1610

New issue
New issue
Closed
flatcar/scripts
#2614
Closed
update: net-misc/rsync#1610
flatcar/scripts
#2614
Labels
advisorysecurity advisorycvss/CRITICAL>= 9 assessed CVSScvss/HIGH> 7 && < 9 assessed CVSScvss/MEDIUM>= 4 && < 7 assessed CVSSsecuritysecurity concerns
@tormath1

Description

@tormath1
tormath1
opened on Jan 15, 2025

Name: net-misc/rsync
CVEs: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
CVSSs: 9.8, 7.5, 6.1, 6.5, 6.5, 5.6
Action Needed: upgrade to >= 3.3.0-r2 as 3.4.0 seems to have some regressions1:

Not bumping to 3.4.0 yet as there's a bunch of regressions and seems safer to just do these patches

Summary:
CVE-2024-12084 A heap-buffer-overflow vulnerability in the Rsync daemon results in improper handling of attacker-controlled checksum lengths (s2length). When the MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out-of-bounds in the sum2 buffer.

CVE-2024-12085 When Rsync compares file checksums, a vulnerability in the Rsync daemon can be triggered. An attacker could manipulate the checksum length (s2length) to force a comparison between the checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

CVE-2024-12086 A vulnerability in the Rsync daemon could cause a server to leak the contents of arbitrary files from clients’ machines. This happens when files are copied from client to server. During the process, a malicious Rsync server can generate invalid communication tokens and checksums from data the attacker compares. The comparison will trigger the client to ask the server to resend data, which the server can use to guess a checksum. The server could then reprocess data, byte to byte, to determine the contents of the target file.

CVE-2024-12087 A path traversal vulnerability in the Rsync daemon affects the --inc-recursive option, a default-enabled option for many flags that can be enabled by the server even if not explicitly enabled by the client. When using this option, a lack of proper symlink verification coupled with de-duplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could remotely trigger this activity by exploiting symbolic links named after valid client directories/paths.

CVE-2024-12088 A --safe-links option vulnerability results in Rsync failing to properly verify whether the symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary files being written outside of the desired directory.

CVE-2024-12747 Rsync is vulnerable to a symbolic-link race condition, which may lead to privilege escalation. A user could gain access to privileged files on affected servers.

refmap.gentoo: https://bugs.gentoo.org/948106

Footnotes

  1. https://bugs.gentoo.org/948106#c10

Metadata

Metadata

Assignees

No one assigned

    Labels

    advisorysecurity advisorycvss/CRITICAL>= 9 assessed CVSScvss/HIGH> 7 && < 9 assessed CVSScvss/MEDIUM>= 4 && < 7 assessed CVSSsecuritysecurity concerns

    Type

    No type

    Projects

    Flatcar tactical, release planning, and roadmap

    Status

    Implemented

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions