This is a pretty serious bug/vulnerability that’s been fixed in the latest version of rsync.

It allows a malicious server to write files to arbitrary locations on computer of the person downloading from that server.

As far as I can tell it doesn’t have a CVE.

I thought it was surprising because it’s such a serious vulnerability, and it has been open for a very long time. It seems to me very important that clients both upgrade their rsync version and consider the possibility of some sort of chroot to add extra security against something like this in future.

Disclosure on the rsync website:

• https://rsync.samba.org/security.html

The bug report and its follow up:

• https://bugzilla.samba.org/show_bug.cgi?id=10936

• https://bugzilla.samba.org/show_bug.cgi?id=10977

The writeup by Baidu security team:

• http://xteam.baidu.com/?p=169

The fix itself:

• https://git.samba.org/?p=rsync.git;a=commitdiff;h=4cad402ea8a91031f86c53961d78bb7f4f174790