CVE-2024-12085: 
NixOS vulnerability analysis and mitigation

A flaw was found in rsync which could be triggered when rsync compares file checksums. This vulnerability (CVE-2024-12085) was discovered and disclosed on January 14, 2025. The vulnerability affects rsync software across multiple operating systems including Red Hat Enterprise Linux, Ubuntu, and other Linux distributions. The issue allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory (NVD, Red Hat).

The vulnerability occurs when rsync compares file checksums. An attacker can manipulate the checksum length (s2length) parameter to force a comparison between a checksum and uninitialized memory. This manipulation allows the attacker to leak one byte of uninitialized stack data at a time. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows an attacker to leak uninitialized stack data byte by byte from the affected system. Over multiple requests, an attacker can potentially leak up to MAXDIGESTLEN - 8 bytes of sensitive data, which could help defeat Address Space Layout Randomization (ASLR). This information leak could potentially expose sensitive information stored in memory (CERT VU#952657).

Multiple vendors have released patches to address this vulnerability. Red Hat has released security updates for affected versions across their product line. Users are advised to update to the latest version of rsync that contains the fix. The vulnerability has been fixed in rsync version 3.4.0 and later (Red Hat, CERT VU#952657).