Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2024-12087

created 4 months, 3 weeks ago

Rsync: path traversal vulnerability in rsync

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

Affected products

rhcos

rsync

=<3.3.0
*

discovery/discovery-ui-rhel9

*

registry.redhat.io/discovery/discovery-ui-rhel9

*

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

nixos-unstable -
- nixpkgs-unstable 3.4.1

pkgs.grsync

Synchronize folders, files and make backups

nixos-unstable -
- nixpkgs-unstable 1.3.1

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

nixos-unstable -
- nixpkgs-unstable 3.4.1

pkgs.rsyncy

Progress bar wrapper for rsync

nixos-unstable -
- nixpkgs-unstable 2.1.0

pkgs.librsync

Implementation of the rsync remote-delta algorithm

nixos-unstable -
- nixpkgs-unstable 2.3.4

pkgs.diskrsync

Rsync for block devices and disk images

nixos-unstable -
- nixpkgs-unstable 1.3.0

pkgs.ethersync

Real-time co-editing of local text files

nixos-unstable -
- nixpkgs-unstable 0.7.0

pkgs.openrsync

BSD-licensed implementation of rsync

nixos-unstable -
- nixpkgs-unstable 2025-01-27

pkgs.sqlite-rsync

Database remote-copy tool for SQLite

nixos-unstable -
- nixpkgs-unstable 3.50.2

pkgs.vdirsyncerStable

Synchronize calendars and contacts

nixos-unstable -
- nixpkgs-unstable 0.20.0

pkgs.yaziPlugins.rsync

Simple rsync plugin for yazi file manager

nixos-unstable -
- nixpkgs-unstable 0-unstable-2025-06-09

pkgs.vimPlugins.ethersync

Real-time co-editing of local text files

nixos-unstable -
- nixpkgs-unstable 0.7.0

pkgs.python312Packages.sysrsync

Simple and safe system's rsync wrapper for Python

nixos-unstable -
- nixpkgs-unstable 1.1.1

pkgs.python313Packages.sysrsync

Simple and safe system's rsync wrapper for Python

nixos-unstable -
- nixpkgs-unstable 1.1.1

pkgs.python312Packages.vdirsyncer

Synchronize calendars and contacts

nixos-unstable -
- nixpkgs-unstable 0.20.0

pkgs.python313Packages.vdirsyncer

Synchronize calendars and contacts

nixos-unstable -
- nixpkgs-unstable 0.20.0

pkgs.vscode-extensions.ethersync.ethersync

Extension for real-time co-editing of local text files

nixos-unstable -
- nixpkgs-unstable 0.4.0

Package maintainers

@jluttine Jaakko Luttinen <jaakko.luttinen@iki.fi>
@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@wegank Weijia Wang <contact@weijia.wang>
@ethancedwards8 Ethan Carter Edwards <ethan@ethancedwards.com>
@eljamm Fedi Jamoussi <fedi.jamoussi@protonmail.ch>
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
@fricklerhandwerk Valentin Gagarin <valentin@fricklerhandwerk.de>
@kuznero Roman Kuznetsov <roman@kuznero.com>
@fgaz Francesco Gazzetta <fgaz@fgaz.me>
@veprbl Dmitry Kalinkin <veprbl@gmail.com>
@stephen-huan Stephen Huan <stephen.huan@cgdct.moe>
@kampfschlaefer Arnold Krille <arnold@arnoldarts.de>
@ivan Ivan Kozik <ivan@ludios.org>
@nycodeghg Marie Ramlow <tabmeier12+nix@gmail.com>
@JohnAZoidberg Daniel Schäfer <git@danielschaefer.me>
@teto Matthieu Coudron <mcoudron@hotmail.com>