On January 14, Nick Tait announced the discovery of six vulnerabilities in rsync, the popular file-synchronization tool. While software vulnerabilities are not uncommon, the most serious one he announced allows for remote code execution on servers that run rsyncd — and possibly other configurations. The bug itself is fairly simple, but this event provides a nice opportunity to dig into it, show why it is so serious, and consider ways the open-source community can prevent such mistakes in the future.

The vulnerabilities were found by two groups of researchers: Simon Scannell, Pedro Gallegos, and Jasiel Spelman from Google's Cloud Vulnerability Research identified five of them, including the most serious one. Aleksei Gorban, a security researcher at TikTok, discovered the sixth — a race condition in how rsync handles symbolic links.