Salvatore Bonaccorso <[email protected]> writes: > hi, > > On Thu, Apr 16, 2026 at 08:27:56AM -0700, Alan Coopersmith wrote: >> On 4/15/26 22:49, Przemyslaw Frasunek wrote: >> > 7. TIMELINE >> > >> > 2008-03-07 Bug introduced in commit d724dd186 (rsync 3.0.1pre1). >> > The commit added qsort to receive_xattr() for sorting xattrs >> > after namespace prefix munging in --fake-super mode. >> > 2026-04-16 This report. >> >> Have you notified the rsync maintainers about this? When? > > FWIW, it looks this got CVE-2026-41035 assigned: > https://www.cve.org/CVERecord?id=CVE-2026-41035
-> https://github.com/RsyncProject/rsync/issues/871 Over there, tridge says: > This is mostly a way for the client to shoot down their own connection to the > fork-per-connection process. > I need to look further into the potential impact of a malicious > server, [...] > [...] sam
signature.asc
Description: PGP signature
