Lsyncd: Remote execution of arbitrary code

2017-02-10T00:00:00
ID GLSA-201702-05
Type gentoo
Reporter Gentoo Foundation
Modified 2017-02-10T00:00:00

Description

Background

A daemon to synchronize local directories using rsync.

Description

default-rsyncssh.lua in Lsyncd performed insufficient sanitising of filenames.

Impact

An attacker, able to control files processed by Lsyncd, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Lsyncd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/lsyncd-2.1.6"