Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Rsync | Samba | * | 3.4.3 (excluding) |
| Rsync | Ubuntu | devel | * |
| Rsync | Ubuntu | esm-infra-legacy/trusty | * |
| Rsync | Ubuntu | esm-infra-legacy/xenial | * |
| Rsync | Ubuntu | esm-infra/bionic | * |
| Rsync | Ubuntu | esm-infra/focal | * |
| Rsync | Ubuntu | esm-infra/xenial | * |
| Rsync | Ubuntu | jammy | * |
| Rsync | Ubuntu | noble | * |
| Rsync | Ubuntu | questing | * |
| Rsync | Ubuntu | resolute | * |
| Rsync | Ubuntu | upstream | * |