Re: RSYNC: 6 vulnerabilities

[Jan Schaumann <jschauma () netmeister org>]

Nick Tait <ntait () redhat com> wrote:

> [1] Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
>
> CVE ID: CVE-2024-12084
>
> CVSS 3.1: 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
> Description: A heap-based buffer overflow flaw was found in the rsync
> daemon. This issue is due to improper handling of attacker-controlled
> checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the
> fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the
> sum2 buffer.

Does anybody know if this issue is also present in the
code executing when you use SSH instead of rsyncd?

I'd expect the "rsync --server --sender" functionality
to possibly (likely?) share code here, but the current
description might lead folks to not consider this
scenario and only look for cases where they offer
rsyncd (e.g., port 873).

-Jan