CVE-2024-12085: Rsync: info leak via uninitialized stack contents
Published Dec 5, 2024
·Updated
A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
Affected Software
69 affected componentsFixes available
debian/rsync<=3.2.3-4+deb11u1, <=3.2.7-1
3.2.3-4+deb11u33.2.7-1+deb12u23.3.0+ds1-4
F5 BIG-IQ Centralized Management
Samba rsync<3.3.0
redhat Openshift=5.0
redhat OpenShift Container Platform=4.12
redhat OpenShift Container Platform=4.13
redhat OpenShift Container Platform=4.14
redhat OpenShift Container Platform=4.15
redhat OpenShift Container Platform=4.16
redhat OpenShift Container Platform=4.17
redhat Enterprise Linux=8.0
redhat Enterprise Linux=9.0
redhat Enterprise Linux Eus=8.8
redhat Enterprise Linux Eus=9.2
redhat Enterprise Linux Eus=9.4
redhat Enterprise Linux Eus=9.6
redhat Enterprise Linux For Arm 64=8.0_aarch64
redhat Enterprise Linux For Arm 64=9.0_aarch64
redhat Enterprise Linux For Arm 64=9.2_aarch64
redhat Enterprise Linux For Arm 64 Eus=8.8_aarch64
redhat Enterprise Linux For Arm 64 Eus=9.4_aarch64
redhat Enterprise Linux For Arm 64 Eus=9.6_aarch64
redhat Enterprise Linux For Ibm Z Systems=8.0_s390x
redhat Enterprise Linux For Ibm Z Systems=9.0_s390x
redhat Enterprise Linux For Ibm Z Systems=9.2_s390x
redhat Enterprise Linux For Ibm Z Systems Eus=8.8_s390x
redhat Enterprise Linux For Ibm Z Systems Eus=9.4_s390x
redhat Enterprise Linux For Ibm Z Systems Eus=9.6_s390x
redhat Enterprise Linux For Power Little Endian=8.0_ppc64le
redhat Enterprise Linux For Power Little Endian=8.8_ppc64le
redhat Enterprise Linux For Power Little Endian=9.0_ppc64le
redhat Enterprise Linux For Power Little Endian=9.2_ppc64le
redhat Enterprise Linux For Power Little Endian Eus=9.4_ppc64le
redhat Enterprise Linux For Power Little Endian Eus=9.6_ppc64le
redhat Enterprise Linux Server=6.0
redhat Enterprise Linux Server=7.0
redhat Enterprise Linux Server Aus=8.2
redhat Enterprise Linux Server Aus=8.4
redhat Enterprise Linux Server Aus=8.6
redhat Enterprise Linux Server Aus=9.2
redhat Enterprise Linux Server Aus=9.4
redhat Enterprise Linux Server Aus=9.6
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=8.4_ppc64le
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=8.6_ppc64le
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=8.8_ppc64le
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=9.0_ppc64le
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=9.2_ppc64le
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=9.4_ppc64le
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=9.6_ppc64le
redhat Enterprise Linux Server Tus=8.4
redhat Enterprise Linux Server Tus=8.6
redhat Enterprise Linux Server Tus=8.8
redhat Enterprise Linux Update Services For Sap Solutions=8.4
redhat Enterprise Linux Update Services For Sap Solutions=8.6
redhat Enterprise Linux Update Services For Sap Solutions=9.0
redhat Enterprise Linux Update Services For Sap Solutions=9.2
redhat Enterprise Linux Update Services For Sap Solutions=9.6
AlmaLinux Almalinux=8.0
AlmaLinux Almalinux=9.0
AlmaLinux Almalinux=10.0
Archlinux Arch Linux
Gentoo Linux
NixOS NixOS<24.11
SUSE SuSE Linux
Tritondatacenter Smartos<20250123
Microsoft azl3 rsync 3.4.1-1
Microsoft azl3 rsync 3.2.7-1
Microsoft cbl2 rsync 3.2.5-1
Microsoft cbl2 rsync 3.4.1-1
Event History
Dec 5, 2024
Data Sourced
via Red Hat·12:29 PM
DescriptionSeverityAffected Software
Jan 14, 2025
CVE Published
via MITRE·05:37 PM
Data Sourced
via MITRE·05:37 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 PM
Affected Software
Jan 19, 2025
Data Sourced
via Launchpad·12:07 AM
Description
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverity
Jan 23, 2025
News Published
via BleepingComputer·06:30 PM
News Published
via BleepingComputer·06:32 PM
Known Exploited
06:32 PM
Feb 9, 2025
Data Sourced
via Ubuntu·05:58 PM
RemedyDescriptionSeverityAffected Software
Mar 13, 2025
Advisory Published
via F5·01:26 AM
Frequently Asked Questions
1
What is the severity of CVE-2024-12085?
CVE-2024-12085 is considered a moderate severity vulnerability that can lead to the disclosure of sensitive information.
2
How do I fix CVE-2024-12085?
To fix CVE-2024-12085, you should upgrade to a patched version of rsync, specifically 3.2.3-4+deb11u3, 3.2.7-1+deb12u2, or 3.3.0+ds1-4.
3
What software is affected by CVE-2024-12085?
CVE-2024-12085 affects specific versions of the rsync package, including versions up to 3.2.3-4+deb11u1 and 3.2.7-1.
4
What type of vulnerability is CVE-2024-12085?
CVE-2024-12085 is a memory corruption vulnerability that can leak one byte of uninitialized stack data.
5
Is there any workaround for CVE-2024-12085?
There are no known effective workarounds for CVE-2024-12085, making upgrading to a fixed version essential.