Rsync --safe-links Option Bypass Leading to Path Traversal Vulnerability

A path traversal vulnerability has been identified in the rsync utility, specifically when the '--safe-links' option is used. The rsync client does not properly verify if a symbolic link destination from the server contains another symbolic link, allowing for traversal outside the intended directory. This flaw could lead to arbitrary file writes in unintended locations.

Impact

Exploitation of this vulnerability allows a malicious server to create symbolic links that bypass the client's link safety checks, potentially leading to unauthorized file writes outside of designated directories.

Reproduction

To reproduce this vulnerability, use an rsync client version 3.2.7 with the '--safe-links' option enabled. Connect to an rsync server that can send symbolic links pointing to other links, creating a chain that ultimately leads outside the intended directory. The client will follow the links, resulting in a path traversal and writing files in unauthorized locations.

Remediation

Users can update to rsync version 3.4.0, where this vulnerability has been patched. For Red Hat users, the update is available through the Red Hat Enterprise Linux 8 and 9 channels.