Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Accepted

Permalink CVE-2024-12084

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 weeks, 5 days ago by @fricklerhandwerk Activity log

Created automatic suggestion 1 year, 2 months ago
@LeSuisse accepted 1 year, 2 months ago
@fricklerhandwerk added maintainer @fricklerhandwerk 3 weeks, 5 days ago maintainer.add
@fricklerhandwerk deleted
2 maintainers
- @fricklerhandwerk
- @ehmry
3 weeks, 5 days ago maintainer.delete
@fricklerhandwerk ignored package rsync 3 weeks, 5 days ago
@fricklerhandwerk restored package rsync 3 weeks, 5 days ago
@fricklerhandwerk added maintainer @fricklerhandwerk 3 weeks, 5 days ago maintainer.add

Rsync: heap buffer overflow in rsync due to improper checksum length handling

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

References

https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
RHBA-2025:6470 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
RHBA-2025:6470 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
RHBA-2025:6470 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
RHBA-2025:6470 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
RHBA-2025:6470 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-12084 vdb-entryx_refsource_REDHAT
RHBZ#2330527 x_refsource_REDHATissue-tracking
https://kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-… exploit
http://www.openwall.com/lists/oss-security/2025/01/14/6
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657

Affected products

rhcos

rsync

==3.2.7
*
==3.3.0

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

nixos-unstable 3.3.0
- nixpkgs-unstable 3.3.0
- nixos-unstable-small 3.3.0

Package maintainers

@kampfschlaefer Arnold Krille <arnold@arnoldarts.de>
@ivan Ivan Kozik <ivan@ludios.org>

Ignored maintainers (1)

@ehmry Emery Hemingway <ehmry@posteo.net>

Additional maintainers

@fricklerhandwerk Valentin Gagarin <valentin@fricklerhandwerk.de>