GLSA 200804-16: rsync: Execution of arbitrary code

Title:rsync: Execution of arbitrary code
Bugs: #216887


A buffer overflow in rsync might lead to the remote execution of arbitrary code when extended attributes are being used.


rsync is a file transfer program to keep remote directories synchronized.

Affected packages

Package Vulnerable Unaffected Architecture(s)
net-misc/rsync < 2.6.9-r6 >= 2.6.9-r6 All supported architectures


Sebastian Krahmer of SUSE reported an integer overflow in the expand_item_list() function in the file util.c which might lead to a heap-based buffer overflow when extended attribute (xattr) support is enabled.


A remote attacker could send a file containing specially crafted extended attributes to an rsync deamon, or entice a user to sync from an rsync server containing specially crafted files, possibly leading to the execution of arbitrary code.

Please note that extended attributes are only enabled when USE="acl" is enabled, which is the default setting.


Disable extended attributes in the rsync daemon by setting "refuse options = xattrs" in the file "/etc/rsyncd.conf" (or append "xattrs" to an existing "refuse" statement). When synchronizing to a server, do not provide the "-X" parameter to rsync. You can also disable the "acl" USE flag for rsync and recompile the package.


All rsync users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.9-r6"



This GLSA and any updates to it are available for viewing at the Gentoo Security Website:


Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to or alternatively, you may file a bug at


Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!