There is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written. More information here http://samba.org/rsync/#security_aug04 FC is handled by bug 130044
Here is the upstream patch to fix this issue. --- orig/util.c 2004-04-27 12:59:37 -0700 +++ util.c 2004-08-11 23:37:27 -0700 @@ -743,7 +743,7 @@ allowdotdot = 1; } else { p += 2; - if (*p == '/') + while (*p == '/') p++; if (sanp != start) { /* back up sanp one level */
This is going to be RHSA-2004:436
MITRE has assigned CAN-2004-0792 to this issue.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-436.html