{"id":"MGASA-2017-0452","summary":"Updated rsync package fixes security vulnerabilities","details":"The recv_files function in receiver.c in the daemon in rsync 3.1.2, and\n3.1.3-development before 2017-12-03, proceeds with certain file metadata\nupdates before checking for a filename in the daemon_filter_list data\nstructure, which allows remote attackers to bypass intended access\nrestrictions. (CVE-2017-17433)\n\nThe daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does\nnot check for fnamecmp filenames in the daemon_filter_list data\nstructure (in the recv_files function in receiver.c) and also does not\napply the sanitize_paths protection mechanism to pathnames found in\n\"xname follows\" strings (in the read_ndx_and_attrs function in rsync.c),\nwhich allows remote attackers to bypass intended access restrictions.\n(CVE-2017-17434)\n","modified":"2026-02-02T03:31:46.722597Z","published":"2017-12-16T23:20:04Z","related":["CVE-2017-17433","CVE-2017-17434"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0452.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22161"},{"type":"REPORT","url":"https://usn.ubuntu.com/usn/usn-3506-1/"}],"affected":[{"package":{"name":"rsync","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/rsync?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.1-5.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0452.json"}},{"package":{"name":"rsync","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/rsync?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.2-1.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0452.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}