Date: Tue, 9 Sep 2014 09:06:52 +0400 From: Loganaden Velvindron <loganaden@...il.com> To: oss-security@...ts.openwall.com Subject: Re: [CVE Requests] rsync and librsync collisions On Sep 9, 2014 7:47 AM, "Murray McAllister" <mmcallis@...hat.com> wrote: > > Good morning, > > The below still require a CVE or two (unless MITRE disagrees). > Have the details been made public yet ? > Cheers, > > -- > Murray McAllister / Red Hat Product Security > > > On 08/05/2014 04:03 PM, Michael Samuel wrote: >> >> Hi, >> >> I think there should be CVEs assigned for this: >> >> rsync: MD5 collision DoS attack or limited file corruption >> librsync: MD4 collision file corruption >> >> Note: librsync is not the same code, protocol or maintainer as rsync. >> >> The librsync attack is far easier to perform, since there's no >> whole-file checksum and it will simply copy the first instance of a >> collision into any place where the second collision is. >> >> The rdiff utility that ships with librsync truncates hashes to 8 >> bytes, allowing a very fast and efficient birthday attack - so even if >> MD4 was replaced attacks would still be possible while the hash is >> truncted. This also affects duplicity - they both use >> RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with >> duplicity will need recompiling after the fix ships. >> >> Previous posting for context: >> http://www.openwall.com/lists/oss-security/2014/07/28/1 >> >> Regards, >> Michael >> >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ