Have the rsync CVEs not been fixed on Ubuntu 24.10?

Support and Help
1

Am I missing something, or has rsync not been fixed on Ubuntu 24.10?

I have run sudo apt update && sudo apt upgrade to update.
Restarted rsync daemon by rebooting.
Running rsync --version … gives me: version 3.3.0 protocol version 31

From my research (hours googling), this version does not fix the CVE and there is apparently no documented fix for 24.10. I guess a fix hasn’t been published to the repos? But that can’t be true, right? I mean that’s crazy, right?

But the USNs and Ubuntu Blog post do not cite a fix for 24.10, see links below.

Ubuntu Version:
24.10

Desktop Environment (if applicable):
GNOME

Problem Description:
rsync version remains: v3.3.0 protocol version 31
Does this version fix the rsync CVEs on Oracular 24.10?

Relevant System Information:
x86_64, kernel v6.11.0-13-generic

What I’ve Tried:

2

Also, in the CVS information Oracular is still marked as “Vulnerable”.

1 Like
3

wut? :skull:

Edit… perhaps I’m being a tad dramatic but I guess I don’t understand why rsync v3.4 has not been pushed to the 24.10 repository, but that’s too big brain for me (genuinely).

4

Certainly looks that way, yes.

root@oracular:~# grype --quiet / --only-notfixed --distro ubuntu:24.10 | grep rsync
rsync                      3.3.0-1                           deb   CVE-2024-12084    High
rsync                      3.3.0-1                           deb   CVE-2024-12747    Medium
rsync                      3.3.0-1                           deb   CVE-2024-12088    Medium
rsync                      3.3.0-1                           deb   CVE-2024-12087    Medium
rsync                      3.3.0-1                           deb   CVE-2024-12086    Medium
rsync                      3.3.0-1                           deb   CVE-2024-12085    Medium
root@oracular:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.10
Release:        24.10
Codename:       oracular
1 Like
5

Fixed today :slightly_smiling_face:

rsync (3.3.0-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: safe links bypass vulnerability
    - d/p/CVE-2024-12088/0001-make-safe-links-stricter.patch: reject
      links where a "../" component is included in the destination
    - CVE-2024-12088
  * SECURITY UPDATE: arbitrary file write via symbolic links
    - d/p/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch: refuse
      malicious duplicate flist for dir
    - d/p/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch: refuse
      invalid dir_ndx
    - d/p/fix_flag_got_dir_flist_collision.patch: fix flag collision
    - CVE-2024-12087
  * SECURITY UPDATE: arbitrary client file leak
    - d/p/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch:
      refuse fuzzy options when not selected
    - d/p/CVE-2024-12086/0002-added-secure_relative_open.patch: safe
      implementation to open a file relative to a base directory
    - d/p/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch:
      ensure secure file access for basis file
    - d/p/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch:
      disallow "../" in relative path
    - CVE-2024-12086
  * SECURITY UPDATE: information leak via uninitialized stack contents
    - d/p/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch:
      prevent information leak by zeroing
    - CVE-2024-12085
  * SECURITY UPDATE: heap buffer overflow in checksum parsing
    - d/p/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch: fix
      checksum buffer issues, better length check
    - d/p/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch:
      fix multiplying size by a better cast
    - CVE-2024-12084
  * SECURITY UPDATE: symlink race condition
    - d/p/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch:
      do_open_checklinks to prevent symlink race
    - CVE-2024-12747

 -- Sudhakar Verma <sudhakar.verma@canonical.com>  Tue, 28 Jan 2025 14:02:37 +0530

Thanks to everyone involved!

1 Like