![]() |
|
Date: Tue, 5 Aug 2014 16:03:29 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: [CVE Requests] rsync and librsync collisions Hi, I think there should be CVEs assigned for this: rsync: MD5 collision DoS attack or limited file corruption librsync: MD4 collision file corruption Note: librsync is not the same code, protocol or maintainer as rsync. The librsync attack is far easier to perform, since there's no whole-file checksum and it will simply copy the first instance of a collision into any place where the second collision is. The rdiff utility that ships with librsync truncates hashes to 8 bytes, allowing a very fast and efficient birthday attack - so even if MD4 was replaced attacks would still be possible while the hash is truncted. This also affects duplicity - they both use RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with duplicity will need recompiling after the fix ships. Previous posting for context: http://www.openwall.com/lists/oss-security/2014/07/28/1 Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.