Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Sep 2014 09:06:52 +0400
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE Requests] rsync and librsync collisions

On Sep 9, 2014 7:47 AM, "Murray McAllister" <mmcallis@...hat.com> wrote:
>
> Good morning,
>
> The below still require a CVE or two (unless MITRE disagrees).
>

Have the details been made public yet ?
> Cheers,
>
> --
> Murray McAllister / Red Hat Product Security
>
>
> On 08/05/2014 04:03 PM, Michael Samuel wrote:
>>
>> Hi,
>>
>> I think there should be CVEs assigned for this:
>>
>> rsync: MD5 collision DoS attack or limited file corruption
>> librsync: MD4 collision file corruption
>>
>> Note: librsync is not the same code, protocol or maintainer as rsync.
>>
>> The librsync attack is far easier to perform, since there's no
>> whole-file checksum and it will simply copy the first instance of a
>> collision into any place where the second collision is.
>>
>> The rdiff utility that ships with librsync truncates hashes to 8
>> bytes, allowing a very fast and efficient birthday attack - so even if
>> MD4 was replaced attacks would still be possible while the hash is
>> truncted.  This also affects duplicity - they both use
>> RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with
>> duplicity will need recompiling after the fix ships.
>>
>> Previous posting for context:
>> http://www.openwall.com/lists/oss-security/2014/07/28/1
>>
>> Regards,
>>    Michael
>>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ