Package: rsync
Version: 3.1.2-2
Severity: serious
Tags: security upstream
Justification: security-relevant
Assume my home directory on 'remote' has no files matching '*4'.
Now run this:
remote$ touch ./-zT.mp4
local$ mkdir test
local$ cd test
local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 .
Expected: the “-zT.mp4” file is transferred.
Actual: the whole home directory of $remote, including subdirectories
and everything, is transferred.
Now imagine I had not cd’d into a new subdirectory. I have overwritten
all files in my own home directory that are present on remote’s before
I managed to press ^C and lost my TODO file and some dotfiles.
Yes, files starting with a U+002D HYPHEN-MINUS are problematic. I’d
still expect files that have passed muster on the local side to be
properly escaped to the remote side.
I think this is simply a case of a missing “--” argument before the
pathnames on the constructed rsh command line. When I do…
$ rsync -zavPH --numeric-ids -S --stats '--rsh=logger --' localhost:\* .
… I get this in syslog:
localhost rsync --server --sender -vlHogDtprSze.iLsfxC --numeric-ids . *
Now if after --numeric-ids there was a -- I believe the problem would
go away. (I’m aware of rsync’s capability to apply remote globs, and
this is not the problem here; in fact, the first command of mine above
relies on that. This is strictly about the hyphen-minus, which is not
uncommon in filenames created by youtube-dl.)
-- System Information:
Debian Release: 9.0
APT prefers unreleased
APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32
(x86_64)
Foreign Architectures: i386, amd64
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages rsync depends on:
ii base-files 9.9
ii init-system-helpers 1.48
ii libacl1 2.2.52-3+b1
ii libattr1 1:2.4.47-2+b2
ii libc6 2.24-10
ii libpopt0 1.16-10+b2
ii lsb-base 9.20161125
rsync recommends no packages.
Versions of packages rsync suggests:
ii openssh-client 1:7.4p1-10
ii openssh-server 1:7.4p1-10
-- no debconf information
