Re: CVE-2022-29154 and v3.2.3

2022-08-18 Thread Mark Esler via rsync 
Hi Wayne,

Thank you for your detailed answer and links.

Gratefully,
Mark Esler

On Wed, Aug 17, 2022 at 6:52 PM Wayne Davison  wrote:
>
> On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote:
>>
>> I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and 
>> earlier.
>
>
> The security page covers this: it's all versions prior to 3.2.5.
>
>> if old_style_args is set to true then the add_implied_include function 
>> promptly returns.
>
>
> The NEWS discusses this under PACKAGING: the new verification feature 
> requires the quoted args feature from 3.2.4. Without that change, rsync can't 
> reliably determine what the remote arguments actually are (many people add 
> quotes to old-style args, expect splitting on spaces, variables can be 
> expanded, etc).  Asking to use unprotected remote args therefore implies 
> trusting the sender.  There is some discussion about this in the manpage.
>
> One alternative would be to force --protect-args on by default (there is a 
> configure --with-protected-args option for that) and then base the security 
> bypass on protect_args being 0 instead of old_style_args being non-0.
>
> ..wayne..

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: CVE-2022-29154 and v3.2.3

2022-08-17 Thread Wayne Davison via rsync 
On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote:

> I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and
> earlier.


The security page  covers this: it's
all versions prior to 3.2.5.

if old_style_args is set to true then the add_implied_include function
> promptly returns.
>

The NEWS  discusses this
under PACKAGING: the new verification feature requires the quoted args
feature from 3.2.4. Without that change, rsync can't reliably determine
what the remote arguments actually are (many people add quotes to old-style
args, expect splitting on spaces, variables can be expanded, etc).  Asking
to use unprotected remote args therefore implies trusting the sender.
There is some discussion about this in the manpage
.

One alternative would be to force --protect-args on by default (there is a
configure --with-protected-args option for that) and then base the security
bypass on protect_args being 0 instead of old_style_args being non-0.

..wayne..
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html