[Secure-testing-team] Bug#862899: rsync: insufficient escaping/quoting of arguments

Thorsten Glaser tg at mirbsd.de
Thu May 18 11:16:23 UTC 2017 

Package: rsync
Version: 3.1.2-2
Severity: serious
Tags: security upstream
Justification: security-relevant

Assume my home directory on 'remote' has no files matching '*4'.

Now run this:

remote$ touch ./-zT.mp4
local$ mkdir test
local$ cd test
local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 .

Expected: the “-zT.mp4” file is transferred.

Actual:	the whole home directory of $remote, including subdirectories
	and everything, is transferred.

Now imagine I had not cd’d into a new subdirectory. I have overwritten
all files in my own home directory that are present on remote’s before
I managed to press ^C and lost my TODO file and some dotfiles.

Yes, files starting with a U+002D HYPHEN-MINUS are problematic. I’d
still expect files that have passed muster on the local side to be
properly escaped to the remote side.

I think this is simply a case of a missing “--” argument before the
pathnames on the constructed rsh command line. When I do…
$ rsync -zavPH --numeric-ids -S --stats '--rsh=logger --' localhost:\* .
… I get this in syslog:
localhost rsync --server --sender -vlHogDtprSze.iLsfxC --numeric-ids . *

Now if after --numeric-ids there was a -- I believe the problem would
go away. (I’m aware of rsync’s capability to apply remote globs, and
this is not the problem here; in fact, the first command of mine above
relies on that. This is strictly about the hyphen-minus, which is not
uncommon in filenames created by youtube-dl.)

-- System Information:
Debian Release: 9.0
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32
 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages rsync depends on:
ii  base-files           9.9
ii  init-system-helpers  1.48
ii  libacl1              2.2.52-3+b1
ii  libattr1             1:2.4.47-2+b2
ii  libc6                2.24-10
ii  libpopt0             1.16-10+b2
ii  lsb-base             9.20161125

rsync recommends no packages.

Versions of packages rsync suggests:
ii  openssh-client  1:7.4p1-10
ii  openssh-server  1:7.4p1-10

-- no debconf information

More information about the Secure-testing-team mailing list