CVE-2014-8990

NameCVE-2014-8990
Descriptiondefault-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3130-1
Debian Bugs767227

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lsyncd (PTS)sid, trixie, bookworm, bullseye2.2.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lsyncdsourcewheezy2.0.7-3+deb7u1DSA-3130-1
lsyncdsource(unstable)2.1.5-2low767227

Notes

[squeeze] - lsyncd <no-dsa> (Minor issue)
https://github.com/axkibe/lsyncd/issues/220
Upstream commit: https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
also required: https://github.com/axkibe/lsyncd/commit/e9ffda07f0145f50f2756f8ee3fb0775b455122b
the initial commit would be an incomplete fix and needs additional changes
Search for package or bug name: Reporting problems