CVE-2017-17434

Name of the Vulnerable Software and Affected Versions rsync versions 3.1.2 through 3.1.3-development before 2017-12-03

Description The issue arises from the daemon in rsync not checking for fnamecmp filenames in the daemon filter list data structure and not applying the sanitize paths protection mechanism to pathnames found in "xname follows" strings. This allows remote attackers to bypass intended access restrictions, potentially impacting the confidentiality, integrity, and availability of protected information.

Recommendations For rsync versions 3.1.2 through 3.1.3-development before 2017-12-03, consider disabling the recv files function in receiver.c and the read ndx and attrs function in rsync.c as a temporary workaround until a patch is available. Restrict access to the daemon filter list data structure and the "xname follows" strings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.