CVE-2022-29154 and v3.2.3

Wayne Davison wayne at
Wed Aug 17 23:51:56 UTC 2022

On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote:

> I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and
> earlier.

The security page <> covers this: it's
all versions prior to 3.2.5.

if old_style_args is set to true then the add_implied_include function
> promptly returns.

The NEWS <> discusses this
under PACKAGING: the new verification feature requires the quoted args
feature from 3.2.4. Without that change, rsync can't reliably determine
what the remote arguments actually are (many people add quotes to old-style
args, expect splitting on spaces, variables can be expanded, etc).  Asking
to use unprotected remote args therefore implies trusting the sender.
There is some discussion about this in the manpage

One alternative would be to force --protect-args on by default (there is a
configure --with-protected-args option for that) and then base the security
bypass on protect_args being 0 instead of old_style_args being non-0.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rsync mailing list