Rsync 3.4 Released Due To Multiple, Significant Security Vulnerabilities

Written by Michael Larabel in Free Software on 14 January 2025 at 08:40 PM EST. 22 Comments
FREE SOFTWARE
Rsync 3.4 is out today for this widely-used utility for incrementally transferring and synchronizing files between systems. Rsync is widely-used especially for backing up Linux servers in an incremental manner and unfortunately this v3.4 release isn't some cheery news.

Rsync 3.4 isn't coming for delivering some grand new features and other improvements but rather warranted due to some newly-disclosed security issues. Rsync 3.4 was released today for fixing multiple "important" vulnerabilities. The Google Cloud Vulnerability Research team along with Aleksei Gorban uncovered six security issues with Rsync. The rsync issues include a heap buffer overflow, information leak, server leaking arbitrary client files, server can make client write files outside of the destination directory via symbolic links, safe-links bypass, and a symlink race condition. Ouch, especially for the leaking arbitrary client files and writing to files outside the destination directory.

All six of these CVEs are fixed in Rsync 3.4:
CVE-2024-12084 -⁠ Heap Buffer Overflow in Checksum Parsing.

CVE-2024-12085 -⁠ Info Leak via uninitialized Stack contents defeats ASLR.

CVE-2024-12086 -⁠ Server leaks arbitrary client files.

CVE-2024-12087 -⁠ Server can make client write files outside of destination directory using symbolic links.

CVE-2024-12088 -⁠ -⁠-⁠safe-links Bypass.

CVE-2024-12747 -⁠ symlink race condition.

Rsync 3.4 also has a few other bug fixes plus introduces FreeBSD and Solaris continuous integration (CI) builds. The Rsync protocol number is also bumped to 32 for making it easier to check on servers being updated due to the security woes.

rsync logo


More details on the Rsync 3.4 release via the Samba.org project site.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week