Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACYkhxjv+J3KCceP-EFfV0T7DpAwLvcHDhgoiBT_hzLWYY1cVA@mail.gmail.com>
Date: Tue, 9 Sep 2014 15:22:36 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE Requests] rsync and librsync collisions

[ A reminder - librsync is a different codebase and protocol to rsync ]

On 9 September 2014 15:06, Loganaden Velvindron <loganaden@...il.com> wrote:
> Have the details been made public yet ?

The exploit code and example colliding blocks are not public, but I
don't believe it
would be hard to attempt your own exploit, especially against librsync
with default
parameters (a birthday attack is trivial).

There's an experimental patch for librsync:
https://github.com/therealmik/librsync/tree/blake2

Some review (especially by upstream) is required, and some agreement among users
on details is required.  See
https://github.com/librsync/librsync/issues/5 if you maintain
a downstream project (such as Duplicity).

I don't know what's happening with rsync upstream, there hasn't been much
communication.  I attempted a patch, but it got a bit hairy due to
hard-coded details in
the code (such as hash output length).

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.