Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Aug 2014 10:12:03 +0400
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE Requests] rsync and librsync collisions

On Tue, Aug 5, 2014 at 10:03 AM, Michael Samuel <mik@...net.net> wrote:
> Hi,
>
> I think there should be CVEs assigned for this:
>
> rsync: MD5 collision DoS attack or limited file corruption
> librsync: MD4 collision file corruption
>
> Note: librsync is not the same code, protocol or maintainer as rsync.
>
> The librsync attack is far easier to perform, since there's no
> whole-file checksum and it will simply copy the first instance of a
> collision into any place where the second collision is.
>
> The rdiff utility that ships with librsync truncates hashes to 8
> bytes, allowing a very fast and efficient birthday attack - so even if
> MD4 was replaced attacks would still be possible while the hash is
> truncted.  This also affects duplicity - they both use
> RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with
> duplicity will need recompiling after the fix ships.
>
> Previous posting for context:
> http://www.openwall.com/lists/oss-security/2014/07/28/1

Hi,

Can you please post at least a PoC or steps that others can use to
reproduce the issues in rsync and librsync ?

IMHO, that would *really* help.

>
> Regards,
>   Michael



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ