Greetings all, I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and earlier. More specifically, I am curious if the commit to use protected arguments as default [0] introduced the CVE (if so, v3.2.4pre1 is not affected).
The protect args as default commit affects some of the variables mentioned in the Restriction enforcement thread [1]. This commit also introduces the old_style_args flag. In the main patch for the CVE [2], if old_style_args is set to true then the add_implied_include function promptly returns. Thank you for your consideration and insight, Mark Esler [0] https://git.samba.org/?p=rsync.git;a=commit;h=6b8db0f6440b28d26ef807d17517715c47e62bd9 [1] https://www.mail-archive.com/rsync@lists.samba.org/msg33452.html [2] https://git.samba.org/?p=rsync.git;a=commit;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871 -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
