[原文]util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a block, which causes a check for CVS to always succeed and allows rsync and rdist to bypass intended access restrictions in rssh.conf.
A programming error in the 'util.c' file of the rssh package in Debian GNU/Linux allows rdist and rsync to bypass security.
This vulnerability may facilitate privilege escalation, because the error allows rssh's check for CVS to always succeed. An attacker could use this vulnerability to their advantage and bypass existing security limitations and access controls.
An exploit is not required.
Debian GNU/Linux has released fixed builds of the rssh package.
Users should use the 'apt-get' utility to ensure that a fixed version of the affected package is installed.