Nixpkgs security tracker
7.4 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
19 packages
- grsync
- rrsync
- rsyncy
- btrsync
- parsync
- librsync
- diskrsync
- openrsync
- vdirsyncer
- sqlite-rsync
- yaziPlugins.rsync
- python313Packages.btrsync
- python314Packages.btrsync
- python312Packages.sysrsync
- python313Packages.sysrsync
- python314Packages.sysrsync
- python312Packages.vdirsyncer
- python313Packages.vdirsyncer
- python314Packages.vdirsyncer
- @LeSuisse accepted
- @LeSuisse published on GitHub
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted …
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
References
Affected products
- =<3.4.1
Matching in nixpkgs
Ignored packages (19)
pkgs.grsync
Synchronize folders, files and make backups
pkgs.rrsync
Helper to run rsync-only environments from ssh-logins
pkgs.rsyncy
Progress bar wrapper for rsync
pkgs.btrsync
Btrfs replication made easy
pkgs.parsync
Tool to parallel rsync-like pull sync over SSH
pkgs.librsync
Implementation of the rsync remote-delta algorithm
pkgs.diskrsync
Rsync for block devices and disk images
pkgs.openrsync
BSD-licensed implementation of rsync
-
nixos-unstable 2025-01-27
- nixpkgs-unstable 2025-01-27
- nixos-unstable-small 2025-01-27
pkgs.vdirsyncer
Synchronize calendars and contacts
pkgs.sqlite-rsync
Database remote-copy tool for SQLite
pkgs.yaziPlugins.rsync
Simple rsync plugin for yazi file manager
-
nixos-unstable 0-unstable-2026-03-07
- nixpkgs-unstable 0-unstable-2026-03-07
- nixos-unstable-small 0-unstable-2026-03-07
pkgs.python313Packages.btrsync
Btrfs replication made easy
pkgs.python314Packages.btrsync
Btrfs replication made easy
pkgs.python312Packages.sysrsync
None
pkgs.python313Packages.sysrsync
Simple and safe system's rsync wrapper for Python
pkgs.python314Packages.sysrsync
Simple and safe system's rsync wrapper for Python
pkgs.python312Packages.vdirsyncer
None
pkgs.python313Packages.vdirsyncer
Synchronize calendars and contacts
pkgs.python314Packages.vdirsyncer
Synchronize calendars and contacts
Package maintainers
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@infinisil Silvan Mosberger <contact@infinisil.com>
-
@balsoft Alexander Bantyev <balsoft75@gmail.com>