rsync 2.6.6pre1 released (ALERT: info on zlib security flaw)

Dmitry V. Levin ldv at
Sat Jul 9 21:33:11 GMT 2005

On Fri, Jul 08, 2005 at 02:10:19PM -0700, Wayne Davison wrote:
> [I neglected to cross-post this from the rsync-announce list to the
> regular rsync mailing list when I sent this out yesterday.]
> There has been some talk about a zlib security problem that could let
> someone overflow the buffers in the zlib decompression code, potentially
> allowing someone to craft an exploit to execute arbitrary code.  Since
> this is a decompression bug, this can only affect an rsync daemon if
> it allows uploads with the --compress option enabled.

This bug (CAN-2005-2096) in zlib's inflate_table() is zlib-1.2.x only,
zlib-1.1.4 does not contain that code and therefore not vulnerable.
That is, rsync-2.6.5 is not vulnerable.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the rsync mailing list