Comment by bell-cot
3 days ago
My read (not an expert) is that you are safe if your rsync is only via secure connections, to & from systems where untrusted parties can neither run rsync, nor play clever games with the files which rsync is accessing.
Which (in my paranoid opinion) is pretty much the only secure use case anyway, for code like rsync.
> you are safe if your rsync is only via secure connections
Not quite. If server has "command=rsync ..." in ~/.ssh/authorized_keys file, for some ssh key (to allow rsync access, but deny shell access), this vulnerability will allow attacker in possession of that ssh key to go around that restriction, and get shell nonetheless.
He said where untrusted parties aren't able to run rsync.
If I was running an rsync daemon facing the public, it would be in a chroot with dropped privileges.