Date: Fri, 10 Apr 2015 20:19:02 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: Michael Samuel <mik@...net.net> Subject: Re: Re: [CVE Requests] rsync and librsync collisions On Fri, Apr 10, 2015 at 11:26:53AM +0200, Vitezslav Cizek wrote: > Hi Michael, > > * Dne Thursday 18. September 2014, 04:30:22 [CEST] Michael Samuel napsal: > > Ok, for rsync you can download colliding blocks (and a brief description) here: > > > > https://github.com/therealmik/rsync-collision > > > > I don't get the feeling that this will be fixed upstream, but a simple > > fix would be > > to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision > > attempt is detected to simply send a data block. > > > > A longer-term would be to just replace MD5 with a collision-resistant hash > > function - blake2 is a good fit. The 128-bit output is right on the > > edge of being > > strong enough. > > > > I submitted a very rough patch which does both, but I haven't had the > > time to clean > > the rough edges - the libdetectcoll codebase needs a fair amount of cleaning > > (printfs etc), and the rsync codebase needs a fair bit of refactor to > > handle hash > > output lengths > 16 bytes. > > Was there any further progress with the rsync upstream? > Are they planning to address this issue or is there no interest? > > Vita Cizek The last time this was discussed it was suggested to the reporter that a fully working PoC be posted so the impact (or lack thereof) to rsync might be evaluated. Unless I missed it, this hasn't happened. --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ