Bug 2110928 (CVE-2022-29154) - CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers
Summary: CVE-2022-29154 rsync: remote arbitrary files write inside the directories of ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-29154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2115429 2115431 2111170 2111171 2111172 2111173 2111174 2111175 2111176 2111177 2115430 2119138 2119139
Blocks: 2110929
TreeView+ depends on / blocked
 
Reported: 2022-07-26 08:11 UTC by Marian Rehak
Modified: 2022-11-07 01:21 UTC (History)
14 users (show)

Fixed In Version: rsync 3.2.5pre1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.
Clone Of:
Environment:
Last Closed: 2022-09-02 19:55:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:6185 0 None None None 2022-08-25 05:56:20 UTC
Red Hat Product Errata RHBA-2022:6190 0 None None None 2022-08-25 13:27:07 UTC
Red Hat Product Errata RHBA-2022:6191 0 None None None 2022-08-25 16:38:46 UTC
Red Hat Product Errata RHBA-2022:6193 0 None None None 2022-08-25 16:50:44 UTC
Red Hat Product Errata RHBA-2022:6194 0 None None None 2022-08-25 16:54:18 UTC
Red Hat Product Errata RHBA-2022:6197 0 None None None 2022-08-25 18:48:47 UTC
Red Hat Product Errata RHBA-2022:6198 0 None None None 2022-08-25 20:53:25 UTC
Red Hat Product Errata RHBA-2022:6202 0 None None None 2022-08-29 12:48:49 UTC
Red Hat Product Errata RHBA-2022:6204 0 None None None 2022-08-29 15:40:58 UTC
Red Hat Product Errata RHBA-2022:6205 0 None None None 2022-08-29 14:47:49 UTC
Red Hat Product Errata RHBA-2022:6209 0 None None None 2022-08-29 16:11:07 UTC
Red Hat Product Errata RHBA-2022:6213 0 None None None 2022-08-29 16:12:37 UTC
Red Hat Product Errata RHBA-2022:6229 0 None None None 2022-08-30 17:05:26 UTC
Red Hat Product Errata RHBA-2022:6232 0 None None None 2022-08-30 19:16:18 UTC
Red Hat Product Errata RHBA-2022:6311 0 None None None 2022-09-01 14:21:26 UTC
Red Hat Product Errata RHBA-2022:6334 0 None None None 2022-09-05 11:06:37 UTC
Red Hat Product Errata RHBA-2022:6335 0 None None None 2022-09-05 10:50:30 UTC
Red Hat Product Errata RHBA-2022:6336 0 None None None 2022-09-05 10:50:56 UTC
Red Hat Product Errata RHBA-2022:6338 0 None None None 2022-09-05 11:01:24 UTC
Red Hat Product Errata RHBA-2022:6339 0 None None None 2022-09-05 10:57:26 UTC
Red Hat Product Errata RHBA-2022:6340 0 None None None 2022-09-05 13:38:08 UTC
Red Hat Product Errata RHBA-2022:6397 0 None None None 2022-09-08 13:33:49 UTC
Red Hat Product Errata RHBA-2022:6415 0 None None None 2022-09-12 08:11:18 UTC
Red Hat Product Errata RHBA-2022:6416 0 None None None 2022-09-12 07:54:56 UTC
Red Hat Product Errata RHBA-2022:6689 0 None None None 2022-09-22 14:09:54 UTC
Red Hat Product Errata RHBA-2022:7430 0 None None None 2022-11-07 01:21:58 UTC
Red Hat Product Errata RHSA-2022:6170 0 None None None 2022-08-24 21:38:22 UTC
Red Hat Product Errata RHSA-2022:6171 0 None None None 2022-08-24 19:56:50 UTC
Red Hat Product Errata RHSA-2022:6172 0 None None None 2022-08-24 17:52:41 UTC
Red Hat Product Errata RHSA-2022:6173 0 None None None 2022-08-24 17:37:31 UTC
Red Hat Product Errata RHSA-2022:6180 0 None None None 2022-08-24 19:55:13 UTC
Red Hat Product Errata RHSA-2022:6181 0 None None None 2022-08-24 18:55:30 UTC
Red Hat Product Errata RHSA-2022:6551 0 None None None 2022-09-19 11:50:38 UTC

Description Marian Rehak 2022-07-26 08:11:52 UTC 
An arbitrary file write vulnerability in the rsync utility that allows malicious remote servers to write arbitrary files inside the directories of connecting peers.
Comment 10 Todd Cullum 2022-08-04 16:21:42 UTC 
Created rsync tracking bugs for this issue:

Affects: fedora-all [bug 2115430]


Created rsync-bpc tracking bugs for this issue:

Affects: epel-all [bug 2115431]
Affects: fedora-all [bug 2115429]
Comment 16 errata-xmlrpc 2022-08-24 17:37:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6173 https://access.redhat.com/errata/RHSA-2022:6173
Comment 17 errata-xmlrpc 2022-08-24 17:52:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6172 https://access.redhat.com/errata/RHSA-2022:6172
Comment 18 errata-xmlrpc 2022-08-24 18:55:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6181 https://access.redhat.com/errata/RHSA-2022:6181
Comment 19 errata-xmlrpc 2022-08-24 19:55:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6180 https://access.redhat.com/errata/RHSA-2022:6180
Comment 20 errata-xmlrpc 2022-08-24 19:56:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6171 https://access.redhat.com/errata/RHSA-2022:6171
Comment 21 errata-xmlrpc 2022-08-24 21:38:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6170 https://access.redhat.com/errata/RHSA-2022:6170
Comment 22 Product Security DevOps Team 2022-09-02 19:55:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29154
Comment 23 errata-xmlrpc 2022-09-19 11:50:34 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
Note You need to log in before you can comment on or make changes to this bug.