Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Aug 2014 16:03:29 +1000
From: Michael Samuel <>
Subject: [CVE Requests] rsync and librsync collisions


I think there should be CVEs assigned for this:

rsync: MD5 collision DoS attack or limited file corruption
librsync: MD4 collision file corruption

Note: librsync is not the same code, protocol or maintainer as rsync.

The librsync attack is far easier to perform, since there's no
whole-file checksum and it will simply copy the first instance of a
collision into any place where the second collision is.

The rdiff utility that ships with librsync truncates hashes to 8
bytes, allowing a very fast and efficient birthday attack - so even if
MD4 was replaced attacks would still be possible while the hash is
truncted.  This also affects duplicity - they both use
RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with
duplicity will need recompiling after the fix ships.

Previous posting for context:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ