Hi Wayne,

Thank you for your detailed answer and links.

Gratefully,
Mark Esler

On Wed, Aug 17, 2022 at 6:52 PM Wayne Davison <wa...@opencoder.net> wrote:
>
> On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote:
>>
>> I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and 
>> earlier.
>
>
> The security page covers this: it's all versions prior to 3.2.5.
>
>> if old_style_args is set to true then the add_implied_include function 
>> promptly returns.
>
>
> The NEWS discusses this under PACKAGING: the new verification feature 
> requires the quoted args feature from 3.2.4. Without that change, rsync can't 
> reliably determine what the remote arguments actually are (many people add 
> quotes to old-style args, expect splitting on spaces, variables can be 
> expanded, etc).  Asking to use unprotected remote args therefore implies 
> trusting the sender.  There is some discussion about this in the manpage.
>
> One alternative would be to force --protect-args on by default (there is a 
> configure --with-protected-args option for that) and then base the security 
> bypass on protect_args being 0 instead of old_style_args being non-0.
>
> ..wayne..

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Reply via email to