oss-sec mailing list archives
Re: Re: [CVE Requests] rsync and librsync collisions
From: Michael Samuel <mik () miknet net>
Date: Thu, 18 Sep 2014 12:30:22 +1000
Ok, for rsync you can download colliding blocks (and a brief description) here: https://github.com/therealmik/rsync-collision I don't get the feeling that this will be fixed upstream, but a simple fix would be to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision attempt is detected to simply send a data block. A longer-term would be to just replace MD5 with a collision-resistant hash function - blake2 is a good fit. The 128-bit output is right on the edge of being strong enough. I submitted a very rough patch which does both, but I haven't had the time to clean the rough edges - the libdetectcoll codebase needs a fair amount of cleaning (printfs etc), and the rsync codebase needs a fair bit of refactor to handle hash output lengths > 16 bytes. Regards, Michael
Current thread:
- [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Murray McAllister (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions cve-assign (Sep 12)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 17)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)