Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#42806 - [rsync] path hijacking vulnerability

Attached to Project: Arch Linux
Opened by Yardena Cohen (yardenac) - Sunday, 16 November 2014, 03:56 GMT
Last edited by Pierre Schmitz (Pierre) - Friday, 15 May 2015, 12:45 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


An evil server can force rsync 3.1.1 to write arbitrary data to the filesystem, which can lead to remote code execution.
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Friday, 15 May 2015, 12:45 GMT
Reason for closing:  Upstream
Comment by Pierre Schmitz (Pierre) - Sunday, 16 November 2014, 17:02 GMT
This needs to be fixed upstream; nothing I can do here.
Comment by Ido Rosen (idorosen) - Monday, 05 January 2015, 02:10 GMT Comment by Christian Rebischke (Shibumi) - Thursday, 19 February 2015, 20:10 GMT
Is this issue fixed? Does it have a CVE? I ask because I am in the Archlinux-CVE-Monitoring team.
Btw the issue seems fixed upstream:
Comment by Pierre Schmitz (Pierre) - Friday, 20 February 2015, 16:57 GMT
The reports states that this was fixed in 3.1.1. I don't see a newer rsync release anyway.
Comment by Pascal Ernster (hardfalcon) - Monday, 13 April 2015, 05:53 GMT
There seems to be yet another bug report upstream for fixing another aspect of the same CVE:

Unfortunately, they've still no fixed it completely, but they've at least fixed it for inc-recursive transfers (which are the defaults):;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b

So for non-inc-recursive transfers, there's still no fix, but Archlinux could at least ship the above-mentioned patch.
Comment by Pierre Schmitz (Pierre) - Friday, 15 May 2015, 12:45 GMT
This will get fixed once upstream decides it's worth a release.