33920 – rsync new security issues CVE-2024-1208[4-8] and CVE-2024-12747

Bug 33920 - rsync new security issues CVE-2024-1208[4-8] and CVE-2024-12747

Summary: rsync new security issues CVE-2024-1208[4-8] and CVE-2024-12747

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Duplicates (1):	33957 (view as bug list)
Depends on:
Blocks:

Reported:	2025-01-15 09:47 CET by Nicolas Salguero
Modified:	2025-01-24 10:27 CET (History)
CC List:	9 users (show)

See Also:
Source RPM:	rsync-3.2.7-1.mga9.src.rpm
CVE:	CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-15 09:47:50 CET

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2025/01/14/3

Nicolas Salguero 2025-01-15 09:48:32 CET

CVE: (none) => CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
Status comment: (none) => Fixed upstream in 3.4.0
Source RPM: (none) => rsync-3.2.7-1.mga9.src.rpm

Comment 1 Guillaume Bedot 2025-01-15 12:29:40 CET

all versions until 3.4.0 are affected

CC: (none) => guillaume.bedot

Comment 2 Nicolas Salguero 2025-01-15 15:28:47 CET

Debian has issued an advisory on January 14:
https://lists.debian.org/debian-security-announce/2025/msg00004.html

Status comment: Fixed upstream in 3.4.0 => Fixed upstream in 3.4.0 and patches available from Debian

Comment 3 Nicolas Salguero 2025-01-15 15:42:37 CET

Ubuntu has issued an advisory on January 14:
https://ubuntu.com/security/notices/USN-7206-1

Status comment: Fixed upstream in 3.4.0 and patches available from Debian => Fixed upstream in 3.4.0 and patches available from Debian and Ubuntu

Comment 4 Nicolas Salguero 2025-01-15 16:52:17 CET

Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Heap buffer overflow in rsync due to improper checksum length handling. (CVE-2024-12084)

Info leak via uninitialized stack contents. (CVE-2024-12085)

Rsync server leaks arbitrary client files. (CVE-2024-12086)

Path traversal vulnerability in rsync. (CVE-2024-12087)

Rsync --safe-links option bypass leads to path traversal. (CVE-2024-12088)

Race condition in rsync handling symbolic links. (CVE-2024-12747)

References:
https://www.openwall.com/lists/oss-security/2025/01/14/3
https://lists.debian.org/debian-security-announce/2025/msg00004.html
https://ubuntu.com/security/notices/USN-7206-1
========================

Updated package in core/updates_testing:
========================
rsync-3.2.7-1.1.mga9

from SRPM:
rsync-3.2.7-1.1.mga9.src.rpm

Status comment: Fixed upstream in 3.4.0 and patches available from Debian and Ubuntu => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-01-15 20:22:09 CET

Keywords: (none) => advisory

Comment 5 Herman Viaene 2025-01-17 16:04:50 CET

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 25118 for testing.
Used rsync to get a folder with pictures from my desktop PC.
$ rsync -arvuh herman@mach1:/home/herman/Afbeeldingen/2014/20140119NieuwjaarViaene /home/tester9/Pictures/
(herman@mach1) Password: 
receiving incremental file list
20140119NieuwjaarViaene/
20140119NieuwjaarViaene/IMG_1251.jpg
20140119NieuwjaarViaene/IMG_1259.jpg
20140119NieuwjaarViaene/IMG_1271.jpg
20140119NieuwjaarViaene/IMG_1272.jpg
20140119NieuwjaarViaene/IMG_1273.jpg

sent 123 bytes  received 19.86M bytes  1.47M bytes/sec
total size is 19.85M  speedup is 1.00
Transfer was OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 Len Lawrence 2025-01-17 16:28:26 CET

Herman beat me to it.
mageia9, x86_64

rsync has been in use here frequently for ad hoc backups.
Exploiting the vulnerabilities recorded in the CVEs is beyond the scope of QA level hackers.
After the update used rsync to copy a set of folders across the LAN to a local backup store.
$ rsync -a /home/<user>/pad/* /home/<user>/backpad

On another machine updated rsync and downloaded a Mageia iso via a ruby script.

RSYNC_PASSWORD=\"#{pass}\" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/#{release}/#{name}/ .
That worked fine.  sumchecks OK.

CC: (none) => tarazed25

Comment 7 Herman Viaene 2025-01-17 16:39:15 CET

@Len
Héhé

Comment 8 Brian Rockwell 2025-01-17 23:03:35 CET

Installed without issue.

$ rsync --version
rsync  version 3.2.7  protocol version 31

I think we've tested enough.

CC: (none) => brtians1

Comment 9 Ben McMonagle 2025-01-17 23:42:18 CET

plasma i586

updated rsync.

ran from a script:

NOW="`date +%d%m%Y-%T`
rsync -f"- */" -f"+ *" -avPH run/media/work/isos/CI32/ run/media/work/isos/CI32/Backup-$NOW

sending incremental file list
created directory /run/media/work/isos/CI32/Backup-18012025-11:41:03
./
DATE.txt
             33 100%    0.00kB/s    0:00:00 (xfr#1, to-chk=8/10)
Mageia-9-i586.idx
        181,868 100%   86.72MB/s    0:00:00 (xfr#2, to-chk=7/10)
Mageia-9-i586.iso
  4,023,070,720 100%  182.94MB/s    0:00:20 (xfr#3, to-chk=6/10)
Mageia-9-i586.iso.md5
             52 100%    0.05kB/s    0:00:00 (xfr#4, to-chk=5/10)
Mageia-9-i586.iso.md5.gpg
            667 100%    0.67kB/s    0:00:00 (xfr#5, to-chk=4/10)
Mageia-9-i586.iso.sha3
            148 100%    0.15kB/s    0:00:00 (xfr#6, to-chk=3/10)
Mageia-9-i586.iso.sha3.gpg
            764 100%    0.77kB/s    0:00:00 (xfr#7, to-chk=2/10)
Mageia-9-i586.iso.sha512
            148 100%    0.15kB/s    0:00:00 (xfr#8, to-chk=1/10)
Mageia-9-i586.iso.sha512.gpg
            765 100%    0.77kB/s    0:00:00 (xfr#9, to-chk=0/10)

sent 4,024,238,065 bytes  received 267 bytes  187,173,875.91 bytes/sec
total size is 4,023,255,165  speedup is 1.00

seemed to be ok

CC: (none) => westel
Whiteboard: MGA9-64-OK => MGA9-64-OK | MGA9-32-OK

PC LX 2025-01-19 03:05:50 CET

CC: (none) => mageia

Comment 10 Thomas Andrews 2025-01-20 00:49:26 CET

Thanks, everyone!

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Guillaume Bedot 2025-01-20 16:50:28 CET

The current version is 3.4.1, corrects the CVEs, not 3.27 which is from 2022...

Comment 12 Nicolas Salguero 2025-01-20 16:53:55 CET

(In reply to Guillaume Bedot from comment #11)
> The current version is 3.4.1, corrects the CVEs, not 3.27 which is from
> 2022...

rsync-3.2.7-1.1.mga9 contains the needed patches to fix the CVEs.

Comment 13 Guillaume Bedot 2025-01-20 17:01:55 CET

indeed https://svnweb.mageia.org/packages/updates/9/rsync/current/SOURCES/?pathrev=2139570
sorry for the noise

Nicolas Salguero 2025-01-20 17:07:28 CET

Assignee: qa-bugs => nicolas.salguero
Keywords: validated_update => (none)
Whiteboard: MGA9-64-OK | MGA9-32-OK => (none)

Comment 14 Nicolas Salguero 2025-01-20 17:09:22 CET

Ubuntu has issued an advisory on January 16:
https://ubuntu.com/security/notices/USN-7206-2

The update caused a regression.

rsync-3.2.7-1.2.mga9 will contain the patch from Ubuntu to fix that regression.

Comment 15 Nicolas Salguero 2025-01-20 17:13:01 CET

Suggested advisory:
========================

The updated package fixes security vulnerabilities and a regression introduced by those fixes:

Heap buffer overflow in rsync due to improper checksum length handling. (CVE-2024-12084)

Info leak via uninitialized stack contents. (CVE-2024-12085)

Rsync server leaks arbitrary client files. (CVE-2024-12086)

Path traversal vulnerability in rsync. (CVE-2024-12087)

Rsync --safe-links option bypass leads to path traversal. (CVE-2024-12088)

Race condition in rsync handling symbolic links. (CVE-2024-12747)

References:
https://www.openwall.com/lists/oss-security/2025/01/14/3
https://lists.debian.org/debian-security-announce/2025/msg00004.html
https://ubuntu.com/security/notices/USN-7206-1
https://ubuntu.com/security/notices/USN-7206-2
========================

Updated package in core/updates_testing:
========================
rsync-3.2.7-1.2.mga9

from SRPM:
rsync-3.2.7-1.2.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Keywords: advisory => (none)

Comment 16 Nicolas Salguero 2025-01-20 17:13:38 CET

The advisory will need to be updated, sorry!

Comment 17 katnatek 2025-01-20 17:37:30 CET

(In reply to Nicolas Salguero from comment #16)
> The advisory will need to be updated, sorry!

And need to do again the test

Keywords: (none) => advisory

Comment 18 Guillaume Bedot 2025-01-20 19:01:29 CET

tested with 
$ rsync rsync://geex.ovh/mageia

works for me too

Comment 19 Ben McMonagle 2025-01-21 06:28:53 CET

plasma i586 system

updated rsync: 

To satisfy dependencies, the following package is going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (Installer)")
  rsync                          3.2.7        1.2.mga9      i586    
4KB of additional disk space will be used.
487KB of packages will be retrieved.
Proceed with the installation of one package? (Y/n) y

excerpt from a script that invokes rsync:


05:19:58. Starting to synchronise this local ISO directory with 
 Mageia-9-i586.
This can take hours, but can be re-started efficiently if it breaks.

rsync -avHP rsync://isoqa@bcd.mageia.org/isos/mageia9/Mageia-9-i586/ .
receiving incremental file list
./
DATE.txt
             33 100%   32.23kB/s    0:00:00 (xfr#1, to-chk=8/10)
Mageia-9-i586.idx
        181,868 100%   83.66kB/s    0:00:02 (xfr#2, to-chk=7/10)
Mageia-9-i586.iso.md5
             52 100%   50.78kB/s    0:00:00 (xfr#3, to-chk=5/10)
Mageia-9-i586.iso.md5.gpg
            667 100%  325.68kB/s    0:00:00 (xfr#4, to-chk=4/10)
Mageia-9-i586.iso.sha3
            148 100%   72.27kB/s    0:00:00 (xfr#5, to-chk=3/10)
Mageia-9-i586.iso.sha3.gpg
            764 100%  248.70kB/s    0:00:00 (xfr#6, to-chk=2/10)
Mageia-9-i586.iso.sha512
            148 100%   48.18kB/s    0:00:00 (xfr#7, to-chk=1/10)
Mageia-9-i586.iso.sha512.gpg
            765 100%    2.46kB/s    0:00:00 (xfr#8, to-chk=0/10)

sent 183 bytes  received 185,103 bytes  24,704.80 bytes/sec
total size is 4,023,255,165  speedup is 21,713.76

seems ok to me

05:20:05, rsync finished.

Ben McMonagle 2025-01-21 06:32:26 CET

Whiteboard: (none) => MGA9-32-OK

Comment 20 Herman Viaene 2025-01-21 10:51:56 CET

Deleted synched folder from Comment 5 and repeated the test. Result OK.

Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OK

Comment 21 Thomas Andrews 2025-01-21 15:54:12 CET

MGA9-64 Plasma.

Used qarepo with the existing rsync to download this update from the math.princeton rsync mirror. The update installed with no issues.

After restarting qarepo, I used it to download the packages for the pending vim update, Bug 33944, from the same mirror. There were no issues with that download, either.

Confirming the OK, and re-validating.

Keywords: (none) => validated_update

Comment 22 Mageia Robot 2025-01-22 04:19:57 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0019.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 23 Nicolas Salguero 2025-01-24 10:27:56 CET

*** Bug 33957 has been marked as a duplicate of this bug. ***

CC: (none) => mageia

Note You need to log in before you can comment on or make changes to this bug.