Restriction enforcement

Hove, K.W. van (Koen, Student M-CS) k.w.vanhove at student.utwente.nl
Thu Aug 4 10:00:56 UTC 2022


Dear Wayne, all,

I recently saw the report from OpenWall on CVE-2022-29154 as well as the prerelease of rsync 3.2.5. I believe that is the same issue (albeit with a malicious scenario attached to it), right? If so, I am happy to see it resolved. 

Cordially,
Koen van Hove

From: Wayne Davison <wayne at opencoder.net>
Date: Saturday, 12 March 2022 at 18:20
To: "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove at student.utwente.nl>
Cc: "rsync at lists.samba.org" <rsync at lists.samba.org>
Subject: Re: Restriction enforcement

On Tue, Mar 8, 2022 at 7:15 AM Hove, K.W. van (Koen, Student M-CS) via rsync <mailto:rsync at lists.samba.org> wrote:
I noticed that --max-size, --min-size, --exclude, and --include are only sent by the client as a "request" to the server, and that if the server for some reason chooses to ignore those options and include those files in the file list anyway, the client will happily run with it.

That is not based on client & server but rather sender & receiver. The sender gets the filter (include/exclude) commands so that it can trim the list it sends, but the client uses the min/max size values to figure out which files it wants to request. The client only uses the filter rules if it is running deletion commands. The daemon has a bit more paranoia, with an extra filter list that is consulted on both the sending & receiving side. So, one simple change that could be done would be to tweak generator.c & receiver.c and add in filter checks of the main filter_list where it is checking the daemon_filter_list.

So, for the most part, rsync expects each side to do their job and doesn't double-check non-security things (it does security-check that the file list hasn't gone outside the request's bounds and that it doesn't leverage a symlink as a way to escape the hierarchy, for instance).  There is also the problem that the generator has no direct way to tell the receiver what it is doing (given the big loop of information from generator to sender to receiver) so a rogue sender could be written to send files that the generator didn't request.

..wayne.. 



More information about the rsync mailing list