diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2025-01-16 15:51:17 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-01-24 07:49:28 -0800 |
| commit | 2aebe10959d2343ad4818660bee6ca07fdcfc0dd (patch) | |
| tree | ce6aa2ce3eccf04d202ca427a19d63d2128cfdad /scripts/install-buildtools | |
| parent | 1e04a4df0a7e6e23be1800004c5edaf7634834d4 (diff) | |
| download | poky-2aebe10959d2343ad4818660bee6ca07fdcfc0dd.tar.gz | |
rsync: fix CVE-2024-12087
A path traversal vulnerability exists in rsync. It stems from behavior enabled
by the `--inc-recursive` option, a default-enabled option for many client options
and can be enabled by the server even if not explicitly enabled by the client.
When using the `--inc-recursive` option, a lack of proper symlink verification
coupled with deduplication checks occurring on a per-file-list basis could allow
a server to write files outside of the client's intended destination directory.
A malicious server could write malicious files to arbitrary locations named after
valid directories/paths on the client.
(From OE-Core rev: 12328df8dfcdc73ef70af299e9ebdc1d8ae73f37)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/install-buildtools')
0 files changed, 0 insertions, 0 deletions