Greetings all,

I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and
earlier. More specifically, I am curious if the commit to use
protected arguments as default [0] introduced the CVE (if so,
v3.2.4pre1 is not affected).

The protect args as default commit affects some of the variables
mentioned in the Restriction enforcement thread [1]. This commit also
introduces the old_style_args flag. In the main patch for the CVE [2],
if old_style_args is set to true then the add_implied_include function
promptly returns.

Thank you for your consideration and insight,
Mark Esler


Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options:
Before posting, read:

Reply via email to