diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2025-01-16 15:15:07 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-01-25 06:20:37 -0800 |
| commit | 61587111989252119cce4c1c26503e986f9efd7a (patch) | |
| tree | 9f9012054a1dc4351e25d03922b9f2b179248109 /scripts/oepydevshell-internal.py | |
| parent | dfbd3aac89fe9344d752ff8e77f0afe25bcd6866 (diff) | |
| download | poky-61587111989252119cce4c1c26503e986f9efd7a.tar.gz | |
rsync: fix CVE-2024-12087
A path traversal vulnerability exists in rsync. It stems from behavior enabled
by the `--inc-recursive` option, a default-enabled option for many client options
and can be enabled by the server even if not explicitly enabled by the client.
When using the `--inc-recursive` option, a lack of proper symlink verification
coupled with deduplication checks occurring on a per-file-list basis could allow
a server to write files outside of the client's intended destination directory.
A malicious server could write malicious files to arbitrary locations named after
valid directories/paths on the client.
(From OE-Core rev: c34cbef572e18c60bb7600fda370d6c46688c7b3)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/oepydevshell-internal.py')
0 files changed, 0 insertions, 0 deletions