oss-sec mailing list archives
Re: [CVE Requests] rsync and librsync collisions
From: Loganaden Velvindron <loganaden () gmail com>
Date: Tue, 5 Aug 2014 10:12:03 +0400
On Tue, Aug 5, 2014 at 10:03 AM, Michael Samuel <mik () miknet net> wrote:
Hi, I think there should be CVEs assigned for this: rsync: MD5 collision DoS attack or limited file corruption librsync: MD4 collision file corruption Note: librsync is not the same code, protocol or maintainer as rsync. The librsync attack is far easier to perform, since there's no whole-file checksum and it will simply copy the first instance of a collision into any place where the second collision is. The rdiff utility that ships with librsync truncates hashes to 8 bytes, allowing a very fast and efficient birthday attack - so even if MD4 was replaced attacks would still be possible while the hash is truncted. This also affects duplicity - they both use RS_DEFAULT_STRONG_LEN - so the _librsyncmodule that ships with duplicity will need recompiling after the fix ships. Previous posting for context: http://www.openwall.com/lists/oss-security/2014/07/28/1
Hi, Can you please post at least a PoC or steps that others can use to reproduce the issues in rsync and librsync ? IMHO, that would *really* help.
Regards, Michael
-- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Current thread:
- [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Murray McAllister (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions cve-assign (Sep 12)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 17)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)