Ubuntu
rsync package

rsync 3.1.3-8ubuntu0.5 (CVE-2022-29154 patch) breaks remote brace interpretation

Bug #2011622 reported by Alan Rosenthal
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsync (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Commands like this:
        rsync -a host.example.org:\{this,that} .
have worked for decades, in multiple Ubuntu versions, but were broken by the rsync 3.1.3-8ubuntu0 update (on the client, i.e. the machine on which I type that command).

(To be clear, the backslash there quotes the '{' so that it is sent to the remote rsync rather than being interpreted by the local shell.)

("What happens instead?" It now says "rsync: link_stat "/home/flaps/{this,that}" failed: No such file or directory (2)".)

CVE References

Athos Ribeiro (athos-ribeiro)
tags: added: regression-update
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

The security fix for CVE-2022-29154 unfortunately changed the way arguments are handled.

Could you try adding --old-args ? That should restore the previous behaviour you are expecting.

Revision history for this message
Alan Rosenthal (flaps) wrote :

> Could you try adding --old-args ? That should restore the previous behaviour you are expecting.

It does indeed. Thanks for the reply!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I am closing this bug, since the new behaviour is expected with the security fix. Thanks!

Changed in rsync (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.