Hi there, On Wed, 15 Jan 2025, Ghislain Adnet wrote:
do you [think] those can affect also rsync-bpc ... ?
Firstly, if you're using rsync or rsyncd then it's time to upgrade! Secondly, I would not recommend that anyone permit any kind of rsync access to potentially abusive users. It is very easy to prevent it with rsync's configuration and/or firewall rules. Thirdly, I believe that the first of the vulnerabilities (the serious one) does not affect rsync-bpc. The others may, but are less serious. I've done some initial searching but I'm out of time now so here are my search results so far:
CVE-2024-12084 -? Heap Buffer Overflow in Checksum Parsing.
CVSS: 9.8 Depends on the rsync version. Affected versions of the upstream rsync are 3.2.7 to 3.4.0, so (at least the way I read it!) no version of rsync-bpc (the latest is based on rsync 3.1.3) will be affected by it. Of the vulnerabilities in this batch, this is the most serious. It's really serious, so I'm just updating rsync/rsyncd on my machines.
CVE-2024-12085 -? Info Leak via uninitialized Stack contents defeats ASLR.
CVSS: 7.5 May leak *stack* data one byte at a time, so it may be sensitive data. https://github.com/RsyncProject/rsync/commit/589b0691e59f761ccb05ddb8e1124991440db2c7
CVE-2024-12086 -? Server leaks arbitrary client files.
CVSS: 6.1 May leak *file* data one byte at a time. However note in this case that it's a malicious *server*, not a malicious client. Presumably as far as we're concerned for BackupPC the server is expected to have pretty extensive access to the clients. I haven't looked for a github commit which addresses this issue.
CVE-2024-12087 -? Server can make client write files outside of destination directory using symbolic links.
CVSS: 6.5 Depends on use of the --inc-recursive option. Again a malicious *server*. ? https://github.com/RsyncProject/rsync/commit/0902b52f6687b1f7952422080d50b93108742e53
CVE-2024-12088 -? -?-?safe-links Bypass.
CVSS: 6.5 Depends on use of the --copy-dest option. ? https://github.com/RsyncProject/rsync/commit/407c71c7ce562137230e8ba19149c81ccc47c387
CVE-2024-12747 -? symlink race condition.
CVSS: 6.5 ? https://github.com/RsyncProject/rsync/commit/0590b09d9a34ae72741b91ec0708a820650198b0 I think this one would be rather tricky for an attacker to use. See also 1: CVE-2024-12089: Depends on use of the --backup-dir option. 2: https://github.com/RsyncProject/rsync/commit/c35e28331f10ba6eba370611abd78bde32d54da7 HTH -- 73, Ged. _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
