Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Apr 2015 11:26:53 +0200
From: Vitezslav Cizek <civ@...ma.cz>
To: Michael Samuel <mik@...net.net>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: [CVE Requests] rsync and librsync collisions

Hi Michael,

* Dne Thursday 18. September 2014, 04:30:22 [CEST] Michael Samuel napsal:
> Ok, for rsync you can download colliding blocks (and a brief description) here:
> 
> https://github.com/therealmik/rsync-collision
> 
> I don't get the feeling that this will be fixed upstream, but a simple
> fix would be
> to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision
> attempt is detected to simply send a data block.
> 
> A longer-term would be to just replace MD5 with a collision-resistant hash
> function - blake2 is a good fit.  The 128-bit output is right on the
> edge of being
> strong enough.
> 
> I submitted a very rough patch which does both, but I haven't had the
> time to clean
> the rough edges - the libdetectcoll codebase needs a fair amount of cleaning
> (printfs etc), and the rsync codebase needs a fair bit of refactor to
> handle hash
> output lengths > 16 bytes.

Was there any further progress with the rsync upstream?
Are they planning to address this issue or is there no interest?

  Vita Cizek

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ