Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Sep 2014 12:30:22 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: [CVE Requests] rsync and librsync collisions

Ok, for rsync you can download colliding blocks (and a brief description) here:

https://github.com/therealmik/rsync-collision

I don't get the feeling that this will be fixed upstream, but a simple
fix would be
to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision
attempt is detected to simply send a data block.

A longer-term would be to just replace MD5 with a collision-resistant hash
function - blake2 is a good fit.  The 128-bit output is right on the
edge of being
strong enough.

I submitted a very rough patch which does both, but I haven't had the
time to clean
the rough edges - the libdetectcoll codebase needs a fair amount of cleaning
(printfs etc), and the rsync codebase needs a fair bit of refactor to
handle hash
output lengths > 16 bytes.

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ