rsync: Arbitrary command execution — GLSA 201805-04

A vulnerability in rsync might allow remote attackers to execute arbitrary commands.

Affected packages

net-misc/rsync on all architectures
Affected versions < 3.1.3
Unaffected versions >= 3.1.3

Background

File transfer program to keep remote files into sync.

Description

A vulnerability was discovered in rsync’s parse_arguments function in options.c.

Impact

Remote attackers could possibly execute arbitrary commands with the privilege of the process.

Workaround

There is no known workaround at this time.

Resolution

All rsync users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.1.3"
 

References

Release date
May 08, 2018

Latest revision
May 08, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries