Date: Tue, 9 Sep 2014 15:22:36 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: [CVE Requests] rsync and librsync collisions [ A reminder - librsync is a different codebase and protocol to rsync ] On 9 September 2014 15:06, Loganaden Velvindron <loganaden@...il.com> wrote: > Have the details been made public yet ? The exploit code and example colliding blocks are not public, but I don't believe it would be hard to attempt your own exploit, especially against librsync with default parameters (a birthday attack is trivial). There's an experimental patch for librsync: https://github.com/therealmik/librsync/tree/blake2 Some review (especially by upstream) is required, and some agreement among users on details is required. See https://github.com/librsync/librsync/issues/5 if you maintain a downstream project (such as Duplicity). I don't know what's happening with rsync upstream, there hasn't been much communication. I attempted a patch, but it got a bit hairy due to hard-coded details in the code (such as hash output length). Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ