oss-sec mailing list archives
Re: [CVE Requests] rsync and librsync collisions
From: Michael Samuel <mik () miknet net>
Date: Tue, 9 Sep 2014 15:22:36 +1000
[ A reminder - librsync is a different codebase and protocol to rsync ] On 9 September 2014 15:06, Loganaden Velvindron <loganaden () gmail com> wrote:
Have the details been made public yet ?
The exploit code and example colliding blocks are not public, but I don't believe it would be hard to attempt your own exploit, especially against librsync with default parameters (a birthday attack is trivial). There's an experimental patch for librsync: https://github.com/therealmik/librsync/tree/blake2 Some review (especially by upstream) is required, and some agreement among users on details is required. See https://github.com/librsync/librsync/issues/5 if you maintain a downstream project (such as Duplicity). I don't know what's happening with rsync upstream, there hasn't been much communication. I attempted a patch, but it got a bit hairy due to hard-coded details in the code (such as hash output length). Regards, Michael
Current thread:
- [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Murray McAllister (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions cve-assign (Sep 12)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 17)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)