Date: Fri, 10 Apr 2015 11:26:53 +0200 From: Vitezslav Cizek <civ@...ma.cz> To: Michael Samuel <mik@...net.net> Cc: oss-security@...ts.openwall.com Subject: Re: Re: [CVE Requests] rsync and librsync collisions Hi Michael, * Dne Thursday 18. September 2014, 04:30:22 [CEST] Michael Samuel napsal: > Ok, for rsync you can download colliding blocks (and a brief description) here: > > https://github.com/therealmik/rsync-collision > > I don't get the feeling that this will be fixed upstream, but a simple > fix would be > to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision > attempt is detected to simply send a data block. > > A longer-term would be to just replace MD5 with a collision-resistant hash > function - blake2 is a good fit. The 128-bit output is right on the > edge of being > strong enough. > > I submitted a very rough patch which does both, but I haven't had the > time to clean > the rough edges - the libdetectcoll codebase needs a fair amount of cleaning > (printfs etc), and the rsync codebase needs a fair bit of refactor to > handle hash > output lengths > 16 bytes. Was there any further progress with the rsync upstream? Are they planning to address this issue or is there no interest? Vita Cizek
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ