Lsyncd: Remote execution of arbitrary code — GLSA 201702-05

A vulnerability in Lsyncd allows execution of arbitrary code.

Affected Packages

app-admin/lsyncd on all architectures
Affected versions < 2.1.6
Unaffected versions >= 2.1.6

Background

A daemon to synchronize local directories using rsync.

Description

default-rsyncssh.lua in Lsyncd performed insufficient sanitising of filenames.

Impact

An attacker, able to control files processed by Lsyncd, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Lsyncd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/lsyncd-2.1.6"
 

References

Release Date
February 10, 2017

Latest Revision
February 10, 2017: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries