oss-sec mailing list archives
Re: UAF in rsync 3.4.1 and below
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 16 Apr 2026 20:49:10 +0200
hi, On Thu, Apr 16, 2026 at 08:27:56AM -0700, Alan Coopersmith wrote:
On 4/15/26 22:49, Przemyslaw Frasunek wrote:7. TIMELINE 2008-03-07 Bug introduced in commit d724dd186 (rsync 3.0.1pre1). The commit added qsort to receive_xattr() for sorting xattrs after namespace prefix munging in --fake-super mode. 2026-04-16 This report.Have you notified the rsync maintainers about this? When?
FWIW, it looks this got CVE-2026-41035 assigned: https://www.cve.org/CVERecord?id=CVE-2026-41035 Regards, Salvatore
Current thread:
- UAF in rsync 3.4.1 and below Przemyslaw Frasunek (Apr 15)
- Re: UAF in rsync 3.4.1 and below Alan Coopersmith (Apr 16)
- Re: UAF in rsync 3.4.1 and below Salvatore Bonaccorso (Apr 16)
- Re: UAF in rsync 3.4.1 and below Sam James (Apr 21)
- Re: UAF in rsync 3.4.1 and below Salvatore Bonaccorso (Apr 16)
- Re: UAF in rsync 3.4.1 and below Alan Coopersmith (Apr 16)