CVE-2022-29154: 
NixOS vulnerability analysis and mitigation

An issue was discovered in rsync before version 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The vulnerability, identified as CVE-2022-29154, was reported on July 25, 2022, and publicly disclosed on August 2, 2022. The vulnerability affects rsync installations prior to version 3.2.5 (OSS Security, NVD).

The vulnerability stems from insufficient validation of file names in the rsync client. Due to inadequate controls inside the doserverrecv function, the server can choose which files/directories are sent to the client without proper validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.4 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating network attack vector, high attack complexity, no privileges required, and high impact on integrity and availability (NVD).

A malicious rsync server or Man-in-The-Middle attacker can exploit this vulnerability to overwrite arbitrary files in the rsync client target directory and its subdirectories. This could lead to serious security implications, such as overwriting critical files like .ssh/authorized_keys, potentially compromising system security (OSS Security).

The vulnerability was addressed in rsync version 3.2.5. Users are recommended to upgrade to this version or later to mitigate the vulnerability. The fix was implemented through several patches that were incorporated into the 3.2.5 release. Note that version 3.2.5 introduced some regressions which were subsequently fixed in versions 3.2.6 and 3.2.7 (Ubuntu Security).