Security hole closed in rsync file transfer tool

The developers of the rsync file transfer tool have released version 3.0.2 to close a security hole. A buffer overflow related to the extended attributes (xattr) is said to allow attackers to remotely inject and execute arbitrary code on vulnerable systems. Although versions 2.6.9 to 3.0.1 of rsync are generally affected, the xattr function is not supported by default on all systems.

Advertisement

An update resolves the problem. Users running an rsync daemon may alternatively also enter the refuse options = xattrs option in the /etc/rsyncd.conf file, or add this option to the already existing ones. Linux distributors have already released updated packages.

See also:

• Xattr security fix in 3.0.2, security advisory by the developers

(mba)