Your submission was sent successfully! Close

CVE-2014-9512

Published: 12 February 2015

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.

Notes

AuthorNote
mdeslaur
rsync 3.1.1 introduced invalid filename filtering to prevent
malicious servers from sending files outside of the specified
directory:
https://git.samba.org/?p=rsync.git;a=commit;h=4cad402ea8a91031f86c53961d78bb7f4f174790

CVE-2014-9512 is about malicious servers being able to bypass
that filtering by changing paths.

This is a security hardening feature that was added in 3.1.1.
Either the whole feature needs to be backported to versions
earlier than 3.1.1, or this issue doesn't apply to them.

a second commit was later added:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9
packages in vivid+ claim that this CVE is fixed, but are missing
the second commit
Priority

Medium

Status

Package Release Status
rsync
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (3.0.9-1ubuntu1.1)
trusty
Released (3.1.0-2ubuntu0.2)
upstream
Released (3.1.2)
utopic Ignored
(reached end-of-life)
vivid
Released (3.1.1-3ubuntu0.15.04.1)
wily
Released (3.1.1-3ubuntu0.15.10.1)
Patches:
upstream: https://git.samba.org/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b
upstream: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9