oss-sec mailing list archives
Re: [CVE Requests] rsync and librsync collisions
From: cve-assign () mitre org
Date: Fri, 12 Sep 2014 14:39:58 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The below still require a CVE or two (unless MITRE disagrees).
I think there should be CVEs assigned for this: rsync: MD5 collision DoS attack or limited file corruption librsync: MD4 collision file corruption Note: librsync is not the same code, protocol or maintainer as rsync.
The short answer is that we neither agree nor disagree at present; we think that either any required CVE assignment can be made by us after a full public disclosure, or any required CVE assignment can be made by a different CNA now. Further details: MITRE has been contacted about this rsync and librsync report through multiple channels. The reply that we sent wasn't previously copied here because it didn't seem to be about a publicly known vulnerability. MITRE has no role in determining the list charter, but http://oss-security.openwall.org/wiki/mailing-lists/oss-security says "List Content Guidelines ... Public security issues only please." http://www.openwall.com/lists/oss-security/2014/07/28/1 says "my last response from Wayne was effectively denying that this is a vulnerability" and "I won't provide full details yet, but if any distributions would like some collisions to perform specific tests (perhaps on Openstack Swift), please get in contact privately." http://www.openwall.com/lists/oss-security/2014/08/05/7 adds "I have provided a privileged few with PoC" and "My plan was to wait for fixes before releasing the full write-up and code." Our feeling is that, if the issue is not really public, sending a CVE request to the oss-security list is not a standard procedure. It seems that the simplest way forward would occur if one of the above-mentioned "privileged few" is a CNA on the http://cve.mitre.org/cve/cna.html list. They can evaluate the information that they have and make one or more CVE assignments. If the meaning of the CVE assignments is understandable without referring to the non-public details, then it might be useful to send the CVE assignments here, even before the full public disclosure. MITRE is not currently interested in receiving an advance copy of the full public disclosure or any related PoC information from anyone. We'll see whether the CNA process above can work. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUEz2bAAoJEKllVAevmvmspzoH/j4aV6Ce69mB8+g2WKRptewL UpFZGzQF8dJWn0s1JWYYFLK+RA3iNUPdKLH+5j517xYhySq/lAOWtivJf8nhWM6O 0/3NKvKYDGJO/6lAOV15YvxDYKMfoyvV6/koGwrenegHcLbtAukTk6XT1bwK1nKO XTy3ZaGipi5csyq2qGIkLGFIqGxOQRPXgv1Byjo4J412esCJDwgEhoTOqxo73pWC fV235YYG8l/bKWIBGpQwUh7De4slhrz0lycGghxcOj5PpE2Blp9UyoOHlb2coJxu jeaWTZhsa6TpFeFh1xL/MoZCSLm2ag5y/2wq/HBaIKcezRZp37K9yTbRoJqYAlQ= =FTO9 -----END PGP SIGNATURE-----
Current thread:
- [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Murray McAllister (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions cve-assign (Sep 12)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 17)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)