CVE-2014-9512 (retired)

rsync 3.1.1 allows remote attackers to write to arbitrary files via a
symlink attack on a file in the synchronization path.
 mdeslaur> rsync 3.1.1 introduced invalid filename filtering to prevent
 mdeslaur> malicious servers from sending files outside of the specified
 mdeslaur> directory:
 mdeslaur> CVE-2014-9512 is about malicious servers being able to bypass
 mdeslaur> that filtering by changing paths.
 mdeslaur> This is a security hardening feature that was added in 3.1.1.
 mdeslaur> Either the whole feature needs to be backported to versions
 mdeslaur> earlier than 3.1.1, or this issue doesn't apply to them.
 mdeslaur> a second commit was later added:
 mdeslaur> packages in vivid+ claim that this CVE is fixed, but are missing
 mdeslaur> the second commit
More Information

Updated: 2019-03-26 12:13:52 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)