Six Bugs Fixed in Rsync

The most serious flaw can lead to remote code execution

Author

Newsroom
January 16, 2025

Researchers have discovered six vulnerabilities in the Rsync file synchronization and transfer utility, the most serious of which is a heap buffer overflow that can lead to remote code execution. The maintainers of Rsync have released a new version that addresses all of the bugs. 

Why It Matters: Rsync is a hugely popular utility that is included in many linux distributions, and many of them are affected by one or more of these flaws, including Red Hat, Gentoo, Arch, and SUSE. The vulnerabilities range from privilege escalation up to remote code execution and the details of all of the bugs are now public. 

CVEs: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747

Key Details

  • There are six separate bugs, five of which were discovered by members of Google’s Cloud Vulnerability Research team

  • The most serious of the bugs is CVE-2024-12084. “A heap-buffer-overflow vulnerability in the Rsync daemon results in improper handling of attacker-controlled checksum lengths (s2length). When the MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out-of-bounds in the sum2 buffer,” the description says. 

  • Among the other vulnerabilities, there is a path traversal bug that could allow ann attacker to write files to an arbitrary location. “A path traversal vulnerability in the Rsync daemon affects the --inc-recursive option, a default-enabled option for many flags that can be enabled by the server even if not explicitly enabled by the client. When using this option, a lack of proper symlink verification coupled with de-duplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could remotely trigger this activity by exploiting symbolic links named after valid client directories/paths,” the description says. 

  • The Rsync maintainers have released version 3.4.0 to fix the vulnerabilities

What to Do Now: Upgrade to Rsync 3.4.0 as soon as possible.