Vulnerability CVE-2022-29154: Information
Description
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Severity: HIGH (7.4) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
rsync | sisyphus | 3.2.5-alt0.1 | 3.2.7-alt1 | ALT-PU-2022-2327-1 | 304640 | Fixed |
rsync | sisyphus_e2k | 3.2.5-alt0.1 | 3.2.7-alt1 | ALT-PU-2022-5673-1 | - | Fixed |
rsync | sisyphus_riscv64 | 3.2.5-alt0.1 | 3.2.7-alt1 | ALT-PU-2022-5665-1 | - | Fixed |
rsync | p10 | 3.2.5-alt0.2 | 3.2.7-alt1 | ALT-PU-2022-2434-1 | 305085 | Fixed |
rsync | p10_e2k | 3.2.5-alt0.2 | 3.2.7-alt1 | ALT-PU-2022-5779-1 | - | Fixed |
rsync | c10f1 | 3.2.5-alt0.2 | 3.2.7-alt1 | ALT-PU-2022-2434-1 | 305085 | Fixed |
rsync | c9f2 | 3.2.5-alt0.1 | 3.2.5-alt1 | ALT-PU-2022-2368-1 | 304771 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
[oss-security] 20220802 CVE-2022-29154: Rsync client-side arbitrary file write vulnerability. |
|
https://github.com/WayneD/rsync/tags |
|
FEDORA-2022-25e4dbedf9 | |
FEDORA-2022-15da0cf165 |