Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Sep 2014 15:22:36 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE Requests] rsync and librsync collisions

[ A reminder - librsync is a different codebase and protocol to rsync ]

On 9 September 2014 15:06, Loganaden Velvindron <loganaden@...il.com> wrote:
> Have the details been made public yet ?

The exploit code and example colliding blocks are not public, but I
don't believe it
would be hard to attempt your own exploit, especially against librsync
with default
parameters (a birthday attack is trivial).

There's an experimental patch for librsync:
https://github.com/therealmik/librsync/tree/blake2

Some review (especially by upstream) is required, and some agreement among users
on details is required.  See
https://github.com/librsync/librsync/issues/5 if you maintain
a downstream project (such as Duplicity).

I don't know what's happening with rsync upstream, there hasn't been much
communication.  I attempted a patch, but it got a bit hairy due to
hard-coded details in
the code (such as hash output length).

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ