CVE-2022-29154 and v3.2.3

Mark Esler mark.esler at canonical.com
Thu Aug 18 14:12:59 UTC 2022


Hi Wayne,

Thank you for your detailed answer and links.

Gratefully,
Mark Esler

On Wed, Aug 17, 2022 at 6:52 PM Wayne Davison <wayne at opencoder.net> wrote:
>
> On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote:
>>
>> I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and earlier.
>
>
> The security page covers this: it's all versions prior to 3.2.5.
>
>> if old_style_args is set to true then the add_implied_include function promptly returns.
>
>
> The NEWS discusses this under PACKAGING: the new verification feature requires the quoted args feature from 3.2.4. Without that change, rsync can't reliably determine what the remote arguments actually are (many people add quotes to old-style args, expect splitting on spaces, variables can be expanded, etc).  Asking to use unprotected remote args therefore implies trusting the sender.  There is some discussion about this in the manpage.
>
> One alternative would be to force --protect-args on by default (there is a configure --with-protected-args option for that) and then base the security bypass on protect_args being 0 instead of old_style_args being non-0.
>
> ..wayne..



More information about the rsync mailing list