Comment by concerndc1tizen

My reading is that the first two CVEs are with rsync daemon, but the others are more general - I think "rsync server" is meaning the remote rsync process that is started when you use ssh to connect to the remote. Some of them suggest the rsync client (running on your machine) can be coerced to write to unexpected locations by a malicious rsync server specifically crafted to exploit these CVEs. One suggests a malicious rsync server might be able to reconstruct the contents of arbitrary files on the client using requests sent via the rsync protocol.

I guess the main takeaway is to be careful using rsync connections to machines that you don't trust.

It's the same protocol and code implementing it just proxied over SSH instead of a local pipe or unix socket pair. It's a real world issue unless you trust the remote rsync process and the connection with your local user. So basically only SSH between your single-user desktop and same single-user laptop is unimpacted.

Every rsync operation (even locally) involves an rsync client and a separate rsync server process.

My read (not an expert) is that you are safe if your rsync is only via secure connections, to & from systems where untrusted parties can neither run rsync, nor play clever games with the files which rsync is accessing.

Which (in my paranoid opinion) is pretty much the only secure use case anyway, for code like rsync.

[dead]

[dead]