rsync Use-After-Free Vulnerability in receive_xattr Function

A use-after-free vulnerability has been identified in rsync versions 3.0.1 through 3.4.1. The issue arises in the receive_xattr function, where an untrusted length value is used in a qsort call, leading to a use-after-free condition on the receiver side. This vulnerability is triggered when rsync is run with the -X (or --xattrs) option. On Linux, many common configurations are vulnerable, while non-Linux platforms are more widely affected.

Impact

Exploitation of this vulnerability causes a segmentation fault in the rsync process, crashing the receiver. However, the vulnerability also introduces use-after-free conditions that can be exploited to create dangling pointers, leading to double-free scenarios or free-of-allocated-memory conditions, which can corrupt the heap state.

Reproduction

To reproduce this vulnerability, a file must be transferred using rsync from a Linux sender to a non-Linux receiver, such as FreeBSD, while the receiver is running as a non-root user. The sender must include non-user namespace extended attributes, which can be achieved by using rsync with the -X option. The receiver will crash due to the use-after-free vulnerability when it processes the extended attributes.

Remediation

Users can upgrade to rsync version 3.4.2 or later, where this vulnerability has been fixed.