CVE-2024-12086

Name	CVE-2024-12086
Description	A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4015-1, DSA-5843-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rsync (PTS)	bullseye	3.2.3-4+deb11u1	vulnerable
	bullseye (security)	3.2.3-4+deb11u3	fixed
	bookworm	3.2.7-1	vulnerable
	bookworm (security)	3.2.7-1+deb12u2	fixed
	sid, trixie	3.3.0+ds1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
rsync	source	bullseye	3.2.3-4+deb11u2	DLA-4015-1
rsync	source	bookworm	3.2.7-1+deb12u1	DSA-5843-1
rsync	source	(unstable)	3.3.0+ds1-3

Notes

https://www.openwall.com/lists/oss-security/2025/01/14/3
Fixed by: https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299 (v3.4.0)
Fixed by: https://git.samba.org/?p=rsync.git;a=commit;h=b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff (v3.4.0)
Fixed by: https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7 (v3.4.0)
Fixed by: https://git.samba.org/?p=rsync.git;a=commit;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa (v3.4.0)
Fix introduces regression: https://github.com/RsyncProject/rsync/issues/715 (#1093160)