Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN524 _____________________________________________________________________ DATE : 20/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running rsync versions prior to 3.4.3. ===================================================================== https://download.samba.org/pub/rsync/NEWS#3.4.3 _____________________________________________________________________ NEWS for rsync 3.4.3 (20 May 2026) Changes in this version: SECURITY FIXES: Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every case. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configuration to reach: the first and third need use chroot = no for a module, the second needs daemon chroot = ... set in rsyncd.conf. Two (CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a normal authenticated daemon connection. The sixth (CVE-2026-45232) is reachable only when RSYNC_PROXY is set and the proxy (or a MITM) returns a pathological response. Many thanks to the external researchers who reported these issues. CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. An rsync daemon configured with "use chroot = no" was exposed to a time-of-check / time-of-use race on parent path components: a local attacker with write access to a module could replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Default "use chroot = yes" is not exposed. secure_relative_open() (added in 3.4.0 for CVE-2024-12086) was previously unused in the daemon-no-chroot case; the fix enables it there and reroutes the sender's read-path opens through it. Reported by Nullx3D (Batuhan Sancak), Damien Neil and Michael Stapelberg. CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an rsync daemon configured with daemon chroot = /X in rsyncd.conf when the chroot tree lacks DNS resolution support. The reverse-DNS lookup of the connecting client was performed after the daemon chroot had been entered; if /X did not contain the libc resolver fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules) the lookup failed and the connecting hostname was set to "UNKNOWN", causing hostname-based deny rules to silently fail open. IP-based ACLs are unaffected. The per-module use chroot setting is unrelated to this issue. The fix performs the lookup before entering the daemon chroot. Reported by MegaManSec. CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the compressed-token decoder enabling remote memory disclosure to an authenticated daemon peer. The receiver accumulated a 32-bit signed counter without overflow checking; a malicious sender could trigger an overflow that, with careful manipulation, leaked process memory contents to the attacker -⁠-⁠ environment variables, passwords, heap and library pointers -⁠-⁠ significantly weakening ASLR. The fix bounds the counter and adds wire-input validation in several adjacent places (defence-in-depth). Workaround for older releases: refuse options = compress in rsyncd.conf. Reported by Omar Elsayed. CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based system calls in "use chroot = no" daemon mode (generalisation of CVE-2026-29518). Earlier fixes for symlink races on the receiver's open() call missed the same race class on every other path-based system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir and lstat. The fix routes each affected path-based syscall through a parent dirfd opened under RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+, per-component O_NOFOLLOW walk elsewhere). Default "use chroot = yes" is not exposed. Reported by Andrew Tridgell as a follow-on audit of CVE-2026-29518. CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the receiver's recv_files() enabling remote denial-of-service of any client pulling from a malicious server (incomplete fix of commit 797e17f). The earlier parent_ndx<0 guard added to send_files() was not applied to the visually-identical block in recv_files(). A malicious rsync server can drive any connecting client into a deterministic SIGSEGV by setting CF_INC_RECURSE in the compatibility flags and sending a crafted file list and transfer record. inc_recurse is the protocol-30+ default, so no special options are required on the victim. Workaround for older releases: --no-inc-recursive on the client. Reported by Pratham Gupta. CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack write in the rsync client's HTTP CONNECT proxy handler (establish_proxy_connection() in socket.c). After issuing the CONNECT request, rsync read the proxy's first response line one byte at a time into a 1024-byte stack buffer with the bound cp < &buffer[sizeof buffer - 1]. If the proxy (or a MITM in front of it) returned 1023+ bytes on that first line without a newline terminator, cp exited the loop pointing at a buffer slot the loop never wrote, leaving *cp holding stale stack data from the earlier snprintf() of the outgoing CONNECT request. The post-loop logic then wrote a single \0 one byte past the end of the buffer on the stack. Reach is client-side only, and only when RSYNC_PROXY is set so rsync tunnels an rsync:// connection through an HTTP CONNECT proxy. The written byte is always \0 and the offset is fixed by the buffer size, not attacker-chosen, so this is not an arbitrary-write primitive: practical impact is corruption of one adjacent stack byte and possible later misbehaviour or crash. The fix detects the "buffer filled without finding \n" case explicitly by position and refuses the response with "proxy response line too long". Reported by Aisle Research via Michal Ruprich (rsync-3.4.1-2.el10 QE). In addition to the six CVE fixes, this release adds defence-in-depth hardening on several adjacent paths: bounded wire-supplied counts and lengths in flist/io/acls/xattrs, a guard against length underflow in cumulative snprintf() callers, a parent block-index bounds check on the receiver, a NULL check in read_delay_line(), a lower ceiling on MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats() accumulator, rejection of hyphen-prefixed remote-shell hostnames (defence-in-depth against argv-injection in tooling that forwards untrusted input into the hostspec position; reported by Aisle Research via Michal Ruprich), and a NULL-check on localtime_r() in timestring() to keep a malicious server from crashing the client by advertising a file with an out-of-range modtime. BUG FIXES: Fixed a regression introduced by the 3.4.0 secure_relative_open() CVE fix where legitimate directory symlinks on the receiver side (e.g. when using -K / --copy-dirlinks) caused "failed verification -⁠-⁠ update discarded" errors on delta transfers. The old code rejected every symlink in the path with a per-component O_NOFOLLOW walk; the receiver now uses kernel-enforced "stay below dirfd" path resolution where available. Fixes #715. PORTABILITY / BUILD: secure_relative_open() now uses openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) on Linux 5.6+, and openat() with O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+ (Sequoia) / iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and symlinks whose target lies outside the starting directory, while still following symlinks that resolve within it -⁠-⁠ the same trade-off that fixes the issue #715 regression without weakening the original CVE protection. Other platforms (Solaris, OpenBSD, NetBSD, Cygwin) retain the previous per-component O_NOFOLLOW walk; on those platforms the issue #715 regression remains visible. testsuite/xattrs: ignore SUNWattr_* in the Solaris xls helper. DEVELOPER RELATED: Added testsuite/symlink-dirlink-basis.test (taken from PR #864 by Samuel Henrique) covering the issue #715 regression and several edge cases (--backup, --inplace, --partial-dir with protocol < 29, top-level files). The test skips on platforms without a RESOLVE_BENEATH equivalent. Added regression tests for the new security fixes: chmod-symlink-race.test, chdir-symlink-race.test, bare-do-open-symlink-race.test, alt-dest-symlink-race.test, copy-dest-source-symlink.test, sender-flist-symlink-leak.test, secure-relpath-validation.test, daemon-chroot-acl.test and daemon-refuse-compress.test. The symlink-race tests skip on Cygwin, Solaris, OpenBSD and NetBSD (no RESOLVE_BENEATH equivalent on those platforms). runtests.py now errors early with a clear message when any of the test helper programs (tls, trimslash, t_unsafe, t_chmod_secure, t_secure_relpath, wildtest, getgroups, getfsdev) are missing, instead of letting many tests fail with confusing "not found" errors. Added OpenBSD and NetBSD CI jobs that run make check on those platforms. Added Ubuntu 22.04 and AlmaLinux 8 CI workflows so future backports to the two mainstream LTS families build and test on the same CI surface as trunk. testsuite/protected-regular.test now runs unprivileged via unshare with user-namespace UID mapping, falling back to skip if unshare/uidmap is not available; previously it required real root. Added symlink-dirlink-basis to the Cygwin CI's expected-skipped list. Removed the old release system (replaced by the new release script in 3.4.2). ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================