Mageia 8 MGASA-2022-0302 Critical: Rsync Remote File Overwrite Issue
mageia
August 25, 2022
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers
Summary
An issue was discovered in rsync before 3.2.5 that allows malicious remote
servers to write arbitrary files inside the directories of connecting
peers. The server chooses which files/directories are sent to the client.
However, the rsync client performs insufficient validation of file names.
A malicious rsync server (or Man-in-The-Middle attacker) can overwrite
arbitrary files in the rsync client target directory and subdirectories
(for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)
References
- https://bugs.mageia.org/show_bug.cgi?id=30696
- https://seclists.org/oss-sec/2022/q3/77
- https://www.openwall.com/lists/oss-security/2022/08/02/1
-
- https://www.cve.org/CVERecord?id=CVE-2022-29154
Topics Covered
Resolution
SRPMS
- 8/core/rsync-3.2.2-2.1.mga8
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 25 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0302.html
Type: security
CVE: CVE-2022-29154
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!