Date: Tue, 5 Aug 2014 10:12:03 +0400 From: Loganaden Velvindron <loganaden@...il.com> To: oss-security@...ts.openwall.com Subject: Re: [CVE Requests] rsync and librsync collisions On Tue, Aug 5, 2014 at 10:03 AM, Michael Samuel <mik@...net.net> wrote: > Hi, > > I think there should be CVEs assigned for this: > > rsync: MD5 collision DoS attack or limited file corruption > librsync: MD4 collision file corruption > > Note: librsync is not the same code, protocol or maintainer as rsync. > > The librsync attack is far easier to perform, since there's no > whole-file checksum and it will simply copy the first instance of a > collision into any place where the second collision is. > > The rdiff utility that ships with librsync truncates hashes to 8 > bytes, allowing a very fast and efficient birthday attack - so even if > MD4 was replaced attacks would still be possible while the hash is > truncted. This also affects duplicity - they both use > RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with > duplicity will need recompiling after the fix ships. > > Previous posting for context: > http://www.openwall.com/lists/oss-security/2014/07/28/1 Hi, Can you please post at least a PoC or steps that others can use to reproduce the issues in rsync and librsync ? IMHO, that would *really* help. > > Regards, > Michael -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ