USN-7206-3: rsync vulnerabilities
Publication date
28 January 2025
Overview
Several security issues were fixed in rsync.
Releases
Packages
- rsync - fast, versatile, remote (and local) file-copying tool
Details
USN-7206-1 fixed vulnerabilities in Ubuntu 14.04 LTS to Ubuntu 24.04 LTS.
This update provides the corresponding updates for Ubuntu 24.10.
Original advisory details:
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman...
USN-7206-1 fixed vulnerabilities in Ubuntu 14.04 LTS to Ubuntu 24.04 LTS.
This update provides the corresponding updates for Ubuntu 24.10.
Original advisory details:
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
mishandled symlinks for some settings. An attacker could exploit this
to write files outside the intended directory. (CVE-2024-12087)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
failed to verify symbolic link destinations for some settings. An
attacker could exploit this for path traversal attacks. (CVE-2024-12088)
Aleksei Gorban discovered a race condition in rsync's handling of
symbolic links. An attacker could use this to access sensitive
information or escalate privileges. (CVE-2024-12747)
Update instructions
In general, a standard system update will make all the necessary changes. After a standard system update you need to restart rsync daemons if configured to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 24.10 oracular | rsync – 3.3.0-1ubuntu0.1 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.