Christian Weisgerber:
> * There was that recent zlib vulnerability.
> How about rsync?
There is a single call to deflateInit*() in rsync, found in token.c:
if (deflateInit2(&tx_strm, compression_level,
Z_DEFLATED, -15, 8,
Z_DEFAULT_STRATEGY) != Z_OK) {
The originally reported Z_FIXED vulnerability doesn't affect this.
Eric Biggers' reproducer for
deflateInit2(&strm, 7, Z_DEFLATED, 15, 1, Z_DEFAULT_STRATEGY);
is also not applicable if you read his report:
https://www.openwall.com/lists/oss-security/2022/03/28/1
So it looks like the way rsync uses its modified private copy of
zlib is safe.
--
Christian "naddy" Weisgerber [email protected]
