Hi everyone,
There are 6 security vulnerabilities in rsync versions 3.3.0 and below. More information here.
You can discover if you’re running a vulnerable version by running:
pacman -Q rsync
If you’re running an older version than 3.3.0 you may be vulnerable, and by installing an updates you should get a newer version (I got 3.4.0-1 after updating).
Here is a link to the new version in the Arch Repos: https://archlinux.org/packages/extra/x86_64/rsync/
“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running. The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.”
A very unique use-case to be sure. From what I gather only people doing online/cloud backups are affected, not home users backing up to an external hdd for instance?
I would think the package maintainer should be onto this or onto it when they go online, seems they only need to apply a patch which by the topic if you use can apply yourself
This is a good question haha. I researched further and in the rsync documentation it specifies the following, “Local Rsync jobs (when the source and destination are both on locally mounted filesystems) are done exactly like a push. The client, which becomes the sender, forks a server process to fulfill the receiver role. The client/sender and server/receiver communicate with each other over pipes.”
It’s possible that the RCE from the article you quoted could be initiated from the local machine as it seems that local jobs are still using the client/server model. However, I could be completely mistaken in that.
Updating rsync is easy enough that I would probably install updates.
clearer, thanks both. I will trust the update when it comes. if the client/server model is used then this app regulalry calls out? Grsync is a monthly tool for me. Thanks for posting this.
thanks Endeavour team
pacman -Q rsync rsync 3.4.0-1
fyi, I talked to the dev of another distro and he told me of the 6, 4 vulnerabilities were restricted to cloud saving and 2 directly affected home users doing a traditional backup.
rolling release and long solved with a patched update of rsync from archlinux packaging already.
Awesome to see @joekamprad’s post above.
FWIW, when I did try to upgrade through various means I couldn’t. Here’s an example:
sudo pacman -S rsync didn’t show me a newer version than currently installed either. 
Excellent thought. So I just updated all mirrors … same outcome.
The 3.4.0 version is not showing up as being available via pacman (nor yay nor pacseek which shouldn’t then be surprising). 
I’ve still got 3.3.0-2 installed.
how did you update your mirrors?
I used the EOS Welcome screen shortcuts - both the Arch and EOS mirror updates one after another.
so pacman -Ss rsync does still shows only old version? can you share archmirror list?
cat /etc/pacman.d/mirrorlist | eos-sendlog
When was the last time you performed maintenance? Here’s the link that I use as my general reference (and it comes from this darling community): A Complete Idiot's Guide To Endeavour OS Maintenance / Update / Upgrade
The commands it suggests are:
reflector --protocol https --verbose --latest 25 --sort rate --save /etc/pacman.d/mirrorlist
yay -Syyu
#optional additional steps
eos-rankmirrors --verbose #saves to /etc/pacman.d/endeavouros-mirrorlist
yay -Syyu
Sure will … https://0x0.st/8o61.txt
BTW, what’s odd is that the upgrade (after updating mirrors) worked perfectly on one installation (desktop) but the same method of updating mirrors didn’t offer the 3.4 rsync version on another installation (laptop).
Both systems are running Linux 6.12.8-zen as I keep these computers fairly fresh. Also tried rebooting after mirror update, to no avail.
EDIT UPDATE: Tried same procedures on a third PC (also running Linux 6.12.8-zen) with same issue - i.e., it cannot see rsync 3.4 after updating mirrors and rebooting.
As 3.4.0-1 is given on its own, I think pacman looks for the package with the name “3.4.0-1”, which does not exist.
In response to: pacman -Q rsync rsync 3.4.0-1
I get:
error: package ‘3.4.0-1’ was not found
Which seems a correct statement to me, as there is no such packages as “3.4.0-1”
I think it’s like typing:
pacman -Q 3.4.0-1
Makes sense.
As of this writing, I’m at 1 for 3 successful upgrades to rsync 3.4.0-1, with two other PCs - all running same recent kernel/system updates with newly updated mirrors (per above) - that cannot seem to receive anything beyond the currently installed 3.3.0-2 rsync. Curious enough 