QwikSec

Security Database

CVE

CWE

Training

CVE-2017-17434

Published: Dec 6, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=70aeb5fddd1b2f8e143276f8d5a085db16c593b9

x_refsource_MISC

http://security.cucumberlinux.com/security/details.php?id=170

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

[debian-lts-announce] 20171222 [SECURITY] [DLA 1218-1] rsync security update

mailing-list

x_refsource_MLIST

https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=5509597decdbd7b91994210f700329d8a35e70a1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.