OpenBSD Journal

Security hole in rsync 2.5.6 and below

Contributed by jose on from the mirrors-getting-cracked dept.

From security-announce@ , a posting by Todd Miller:
A heap overflow exists in rsync versions 2.5.6 and below that can be used by an attacker to run arbitrary code. The bug only affects rsync in server (daemon) mode and occurs *after* rsync has dropped privileges. By default, server will chroot(2) to the root of the file tree being served which significantly mitigates the impact of the bug. Installations that disable this behavior by placing "use chroot = no" in rsyncd.conf are vulnerable to attack.

Sites that do run rsync in server mode should update their rsync package as soon as possible. The rsync port has been updated in the 3.3 and 3.4 -stable branches and a new binary package has been built for OpenBSD 3.4/i386. It can be downloaded from:

For more information on the bug, see:

For more information on packages errata, see:

Rsync mirrors a lot of the software out there, so you will want to verify things that you download using checksums (as the ports tree does) or PGP/GnuPG signed archives. If you run a mirror, make sure you're up to date on security practices.

(Comments are closed)

  1. By Anonymous Coward () on

    if they can do it for rsync, why can't they do it for other patches (besides kernel-level bugs)?

    especially with how many openssh holes we see every year ... sure would make patching a lot easier.

    1. By Anonymous Coward () on

      rsync is not a userland tool, it is a port.

      1. By Anonymous Coward () on

        my bad

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]