On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote: > I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and > earlier.
The security page <https://rsync.samba.org/security.html> covers this: it's all versions prior to 3.2.5. if old_style_args is set to true then the add_implied_include function > promptly returns. > The NEWS <https://download.samba.org/pub/rsync/NEWS#3.2.5> discusses this under PACKAGING: the new verification feature requires the quoted args feature from 3.2.4. Without that change, rsync can't reliably determine what the remote arguments actually are (many people add quotes to old-style args, expect splitting on spaces, variables can be expanded, etc). Asking to use unprotected remote args therefore implies trusting the sender. There is some discussion about this in the manpage <https://download.samba.org/pub/rsync/rsync.1#opt--trust-sender>. One alternative would be to force --protect-args on by default (there is a configure --with-protected-args option for that) and then base the security bypass on protect_args being 0 instead of old_style_args being non-0. ..wayne..
-- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
