Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAbv5GYGGW9uiLVxGei5UHi1m=dUjmJF3NH5VYiqsG-ViWAPSA@mail.gmail.com>
Date: Wed, 20 May 2026 05:23:22 -0400
From: Andrew Tridgell <tridge60@...il.com>
To: oss-security@...ts.openwall.com
Cc: "rsync.project" <rsync.project@...il.com>
Subject: rsync 3.4.3 released: six CVEs (CVE-2026-29518, CVE-2026-43617,
 CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, CVE-2026-45232)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

rsync 3.4.3 has been released and fixes six CVEs.  All six were
assigned by VulnCheck as CNA.  Affected versions are 3.4.2 and
earlier in every case; users should upgrade to 3.4.3.

Tarball, signatures and NEWS:
    https://rsync.samba.org/ftp/rsync/src/
    https://download.samba.org/pub/rsync/NEWS.html
Tag and per-CVE patches:
    https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
Security advisories (with patch references):
    https://github.com/RsyncProject/rsync/security/advisories

Summary
=======

Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619)
require a non-default daemon configuration to reach: the first and
third need "use chroot = no" set for a module, the second needs
"daemon chroot = ..." set in rsyncd.conf.  Two (CVE-2026-43618,
CVE-2026-43620) are reachable from a normal pull or a normal
authenticated daemon connection.  The sixth (CVE-2026-45232) is
reachable only when RSYNC_PROXY is set and the proxy (or a MITM
in front of it) returns a pathological response.

CVE-2026-29518 -- CVSS v4.0 7.3 (HIGH)
TOCTOU symlink race in daemon mode without chroot, allowing local
privilege escalation.  A daemon configured with "use chroot = no"
was exposed to a time-of-check / time-of-use race on parent path
components: a local attacker with write access to a module could
replace a parent directory component with a symlink between the
receiver's check and its open(), redirecting reads (basis-file
disclosure) and writes (file overwrite) outside the module.  The
default "use chroot = yes" is not exposed.  secure_relative_open(),
introduced in 3.4.0 for CVE-2024-12086, was previously unused in
the daemon-no-chroot case; the fix enables it there and reroutes
the sender's read path through it.
Reported by Nullx3D (Batuhan Sancak), Damien Neil, and Michael
Stapelberg.

CVE-2026-43617 -- CVSS v3.1 4.8 (MEDIUM)
Hostname/ACL bypass on a daemon configured with "daemon chroot = /X"
when the chroot tree lacks DNS resolution support.  The reverse-DNS
lookup of the connecting client was performed *after* the daemon
chroot had been entered; if /X did not contain libc resolver
fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS
service modules) the lookup failed and the hostname was recorded
as "UNKNOWN", causing hostname-based "hosts deny" rules to silently
fail open.  IP-based ACLs are unaffected.  The per-module "use
chroot" setting is unrelated.  The fix performs the lookup before
entering the daemon chroot.
Reported by MegaManSec.

CVE-2026-43618 -- CVSS v3.1 8.1 (HIGH)
Integer overflow in the compressed-token decoder enabling remote
memory disclosure to an authenticated daemon peer.  The receiver
accumulated a 32-bit signed counter without overflow checking; a
malicious sender could trigger an overflow that, with careful
manipulation, leaked process memory contents -- environment
variables, passwords, heap and library pointers -- significantly
weakening ASLR.  The fix bounds the counter and adds wire-input
validation in several adjacent places.
Workaround for older releases: "refuse options = compress" in
rsyncd.conf.
Reported by Omar Elsayed.

CVE-2026-43619 -- CVSS v3.1 6.3 (MEDIUM)
Symlink races on path-based system calls in "use chroot = no"
daemon mode, generalising CVE-2026-29518.  Earlier symlink-race
fixes covered the receiver's open() call but missed the same race
class on every other path-based syscall: chmod, lchown, utimes,
rename, unlink, mkdir, symlink, mknod, link, rmdir and lstat.  The
fix routes each through a parent dirfd opened under kernel-enforced
RESOLVE_BENEATH-equivalent confinement (openat2 on Linux 5.6+,
O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+, per-component
O_NOFOLLOW walk elsewhere).  Default "use chroot = yes" is not
exposed.
Reported by Andrew Tridgell as a follow-on audit of CVE-2026-29518.

CVE-2026-43620 -- CVSS v3.1 6.5 (MEDIUM)
Out-of-bounds read in the receiver's recv_files() enabling remote
denial-of-service of any client pulling from a malicious server
(incomplete fix of commit 797e17f).  The earlier parent_ndx<0
guard added to send_files() was not applied to the visually
identical block in recv_files().  A malicious server can drive
any connecting client into a deterministic SIGSEGV by setting
CF_INC_RECURSE in the compatibility flags and sending a crafted
file list and transfer record.  inc_recurse is the protocol-30+
default, so no special options are required on the victim.
Workaround for older releases: "--no-inc-recursive" on the client.
Reported by Pratham Gupta.

CVE-2026-45232 -- CVSS v3.1 3.1 (LOW)
Off-by-one out-of-bounds stack write in the rsync client's HTTP
CONNECT proxy handler (establish_proxy_connection() in socket.c).
After issuing the CONNECT request, rsync read the proxy's first
response line one byte at a time into a 1024-byte stack buffer with
the bound "cp < &buffer[sizeof buffer - 1]".  If the proxy (or a
MITM in front of it) returned 1023+ bytes on that first line
without a newline terminator, cp exited the loop pointing at a
buffer slot the loop never wrote, leaving *cp holding stale stack
data from the earlier snprintf() of the outgoing CONNECT request.
The post-loop logic then wrote a single \0 one byte past the end
of the buffer on the stack.  Reach is client-side only, and only
when RSYNC_PROXY is set so rsync tunnels an rsync:// connection
through an HTTP CONNECT proxy.  The written byte is always \0 and
the offset is fixed by the buffer size, not attacker-chosen, so
this is not an arbitrary-write primitive: practical impact is
corruption of one adjacent stack byte and a possible later crash
or misbehaviour.  The fix detects the "buffer filled without
finding \n" case by position and refuses the response with
"proxy response line too long".
Reported by Aisle Research via Michal Ruprich (rsync-3.4.1-2.el10
QE).

Defence-in-depth
================

In addition to the six CVE fixes, 3.4.3 adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts
and lengths in flist/io/acls/xattrs, a guard against length
underflow in cumulative snprintf() callers, a parent block-index
bounds check on the receiver, a NULL check in read_delay_line(),
a lower ceiling on MAX_WIRE_DEL_STAT to avoid signed-int overflow
in the read_del_stats() accumulator, rejection of hyphen-prefixed
remote-shell hostnames (defence-in-depth against argv-injection
in tooling that forwards untrusted input into the hostspec
position; reported by Aisle Research via Michal Ruprich), and a
NULL-check on localtime_r() in timestring() to keep a malicious
server from crashing the client by advertising a file with an
out-of-range modtime.

Many thanks to the external researchers who reported these issues.

- --
Andrew Tridgell
The Rsync Project
rsync.project@...il.com
https://rsync.samba.org/
-----BEGIN PGP SIGNATURE-----
Version: FlowCrypt Email Encryption 8.5.13
Comment: Seamlessly send and receive encrypted email

wsG5BAEBCgBtBYJqDX2JCRAbskmXqFNfb0UUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnNbH8uc+4dCg8xp+j5Wp0q4n/PwTSSCanj3Ji
0g76fB4WIQSf7xEtzhmg3H6ILLgbskmXqFNfbwAAZ4AP/iGAP8Z4MH/qeyJr
5wgJDyZGnkaJGMtzQM/FEvfcaHkm/M5yd6r7EqQkzugHydi4vSwdE9YcTi1c
yhAc6hIdCAsYjY6Ij7TPzA4TXspaT3Ia0G5DpFZVHmiCUWSCAwCfm6cH129D
5T5A+5n30sPU/0DzbFrfewIRuVg8aTqs++Uv38KlZUX6YLkAsRCvhh/gDypQ
ErC0Zng4J9pg1OEwEjMn6xqbKYJZ/2FI2GvBQBn9i+LjeEX5ahA9uTOCOThh
79JdKMT1VeLfZ4SjXpgRfViAkuSIDZqB7wMNGlJNel71rGWLjH2g5KFYkkzY
n4pHKYk0352wve0trHiEgIvucfddpov4ff/GeDTZseqWaYqKlQZ+tJl1AyKt
aa+LmrXNzA4Hhv8//rE71c7t5QKdBmDi77xhEFEgh4Nq1NKVfZI+EqqhIEEx
i262leHm9JClrSMcJ3A2LXtJu2pYNOKh9sOvxHxHyNN9ZaDStsb004l3n5Rr
lsOLQL6gumy7FtKHynZuif+Fgw6VjDnuyAhAOSs1J20nccyVtnBikiKsV+b+
piM7tEEQKzPXcoZWy6gBoHYEU1nr83DQvI4dsYUKWClgKqdXkPBo1qLhCzza
Fo5BtQWvg+GeH+/rdgMzo+BLNCK0Xyt54M1LQsE23uV4QWOEchrN+ygNDMXh
mhAqfOg9
=Z7LE
-----END PGP SIGNATURE-----

Download attachment "0x1BB24997A8535F6F.asc" of type "application/pgp-keys" (4947 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.