Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Apr 2015 20:19:02 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: Michael Samuel <mik@...net.net>
Subject: Re: Re: [CVE Requests] rsync and librsync collisions

On Fri, Apr 10, 2015 at 11:26:53AM +0200, Vitezslav Cizek wrote:
> Hi Michael,
> 
> * Dne Thursday 18. September 2014, 04:30:22 [CEST] Michael Samuel napsal:
> > Ok, for rsync you can download colliding blocks (and a brief description) here:
> > 
> > https://github.com/therealmik/rsync-collision
> > 
> > I don't get the feeling that this will be fixed upstream, but a simple
> > fix would be
> > to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision
> > attempt is detected to simply send a data block.
> > 
> > A longer-term would be to just replace MD5 with a collision-resistant hash
> > function - blake2 is a good fit.  The 128-bit output is right on the
> > edge of being
> > strong enough.
> > 
> > I submitted a very rough patch which does both, but I haven't had the
> > time to clean
> > the rough edges - the libdetectcoll codebase needs a fair amount of cleaning
> > (printfs etc), and the rsync codebase needs a fair bit of refactor to
> > handle hash
> > output lengths > 16 bytes.
> 
> Was there any further progress with the rsync upstream?
> Are they planning to address this issue or is there no interest?
> 
>   Vita Cizek

The last time this was discussed it was suggested to the reporter that a
fully working PoC be posted so the impact (or lack thereof) to rsync
might be evaluated.

Unless I missed it, this hasn't happened.

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ