Rsync Out-of-Bounds Read Vulnerability via Negative Array Index

A vulnerability in Rsync allows a malicious client to cause an out-of-bounds read of a heap-based buffer by using a negative array index during a file transfer. This issue requires at least read access to the remote Rsync module. The vulnerability has been addressed in version 3.2.7.

Impact

Exploitation of this vulnerability leads to a heap-buffer-overflow, which can cause application crashes or unexpected behavior. However, it could potentially be leveraged to manipulate the heap and control a tainted file structure, leading to further exploitation.

Reproduction

To reproduce this vulnerability, a client must initiate an Rsync file transfer with the '-r' flag, which enables recursive file listing. The client should request a file from a remote Rsync module to which it has read access. During the transfer, the server-side logs will indicate an out-of-bounds read error, confirming the vulnerability.

Remediation

Users can update to Rsync version 3.2.7, where this vulnerability has been fixed.