rpms/rsync
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

[security][HIGH] rsync 3.4.1: 3 CVE require triage #1

New issue
Closed
opened 2026-05-25 00:46:42 +03:00 by sbelikov · 1 comment
sbelikov commented 2026-05-25 00:46:42 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: rsync
  • Version: 3.4.1
  • EVR: 3.4.1-1
  • Category: -
  • Policy class: -
  • NiceOS policy class: -
  • Owner: -
  • Severity: HIGH
  • Max CVSS: 7.8
  • CVE count: 3

LLM recommendation / Рекомендация LLM

RU

Для пакета rsync 3.4.1 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-29518, CVE-2026-41035, CVE-2026-43619. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for rsync 3.4.1: CVE-2026-29518, CVE-2026-41035, CVE-2026-43619. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE Severity CVSS Match NiceOS status Reason
CVE-2026-41035 HIGH 7.8 cpe-range needs_triage package version is inside version range
CVE-2026-29518 HIGH 7.3 cpe-range needs_triage package version is inside version range
CVE-2026-43619 HIGH 7.2 cpe-range needs_triage package version is inside version range

Descriptions

CVE-2026-41035

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

CVE-2026-29518

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

CVE-2026-43619

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-29518",
    "CVE-2026-41035",
    "CVE-2026-43619"
  ],
  "fingerprint": "e368a23603d243275bf2",
  "generated_at": "2026-05-24T21:46:42Z",
  "package": "rsync",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "3.4.1"
}
<!-- niceos-cve-fingerprint: e368a23603d243275bf2 --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `rsync` - Version: `3.4.1` - EVR: `3.4.1-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `7.8` - CVE count: `3` ## LLM recommendation / Рекомендация LLM ### RU Для пакета rsync 3.4.1 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-29518, CVE-2026-41035, CVE-2026-43619. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for rsync 3.4.1: CVE-2026-29518, CVE-2026-41035, CVE-2026-43619. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-41035 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-29518 | HIGH | 7.3 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-43619 | HIGH | 7.2 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-41035 In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable. ### CVE-2026-29518 Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false. ### CVE-2026-43619 Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-29518", "CVE-2026-41035", "CVE-2026-43619" ], "fingerprint": "e368a23603d243275bf2", "generated_at": "2026-05-24T21:46:42Z", "package": "rsync", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "3.4.1" } ```
sbelikov commented 2026-05-25 02:07:03 +03:00
Author
Owner
Copy link

rsync 3.4.3 security update for NiceOS 5.2 #2

rsync 3.4.3 security update for NiceOS 5.2 #2
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
update-rsync-3.4.3
No results found.
Labels
Clear labels   
ai-summary
Issue contains local NiceSOFT AI generated preliminary analysis

  
bot
Created by automation

  
needs-build
Needs build verification

  
needs-triage
Needs maintainer triage

  
priority/medium
Medium priority

  
update/patch
Patch-level update

  
upstream-update
New upstream version is available

  
upstream/github
GitHub upstream

No labels
ai-summary
bot
needs-build
needs-triage
priority/medium
update/patch
upstream-update
upstream/github
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/rsync#1
No description provided.