CVE-2022-29154 and v3.2.3
Mark Esler
mark.esler at canonical.com
Wed Aug 17 16:29:20 UTC 2022
Greetings all,
I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and
earlier. More specifically, I am curious if the commit to use
protected arguments as default [0] introduced the CVE (if so,
v3.2.4pre1 is not affected).
The protect args as default commit affects some of the variables
mentioned in the Restriction enforcement thread [1]. This commit also
introduces the old_style_args flag. In the main patch for the CVE [2],
if old_style_args is set to true then the add_implied_include function
promptly returns.
Thank you for your consideration and insight,
Mark Esler
[0] https://git.samba.org/?p=rsync.git;a=commit;h=6b8db0f6440b28d26ef807d17517715c47e62bd9
[1] https://www.mail-archive.com/rsync@lists.samba.org/msg33452.html
[2] https://git.samba.org/?p=rsync.git;a=commit;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871
More information about the rsync
mailing list