In association with heise online

21 August 2007, 11:49

Security vulnerability in rsync

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Suse developer Sebastian Krahmer has detected two off-by-one vulnerabilities in the rsync file and directory synchronisation tool. The affected function f_name() from the file sender.c incorrectly processes specially crafted directory names and in some cases truncates a slash at the end of a directory name.

Attackers can exploit the vulnerability in some cases to inject malicious code. Krahmer provides a patch for the affected current rsync Version 2.6.9, which self-compilers can use to update their rsync sources. Older versions may also contain the vulnerabilities. Linux distributors are providing vulnerability-free rsync packages, which users of the tool should install as soon as possible.

See also:

  • Entry and description of the vulnerability in the database Common Vulnerabilities and Exposures
  • Patch for rsync 2.6.9 from Sebastian Krahmer


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit