Rsync 3.4 Released Due To Multiple, Significant Security Vulnerabilities

Rsync 3.4 isn't coming for delivering some grand new features and other improvements but rather warranted due to some newly-disclosed security issues. Rsync 3.4 was released today for fixing multiple "important" vulnerabilities. The Google Cloud Vulnerability Research team along with Aleksei Gorban uncovered six security issues with Rsync. The rsync issues include a heap buffer overflow, information leak, server leaking arbitrary client files, server can make client write files outside of the destination directory via symbolic links, safe-links bypass, and a symlink race condition. Ouch, especially for the leaking arbitrary client files and writing to files outside the destination directory.
All six of these CVEs are fixed in Rsync 3.4:
CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
CVE-2024-12086 - Server leaks arbitrary client files.
CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
CVE-2024-12088 - --safe-links Bypass.
CVE-2024-12747 - symlink race condition.
Rsync 3.4 also has a few other bug fixes plus introduces FreeBSD and Solaris continuous integration (CI) builds. The Rsync protocol number is also bumped to 32 for making it easier to check on servers being updated due to the security woes.
More details on the Rsync 3.4 release via the Samba.org project site.
22 Comments