Re: Re: [CVE Requests] rsync and librsync collisions

[mancha <mancha1 () zoho com>]

On Fri, Apr 10, 2015 at 11:26:53AM +0200, Vitezslav Cizek wrote:
> Hi Michael,
>
> * Dne Thursday 18. September 2014, 04:30:22 [CEST] Michael Samuel napsal:
> > Ok, for rsync you can download colliding blocks (and a brief description) here:
> >
> > https://github.com/therealmik/rsync-collision
> >
> > I don't get the feeling that this will be fixed upstream, but a simple
> > fix would be
> > to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision
> > attempt is detected to simply send a data block.
> >
> > A longer-term would be to just replace MD5 with a collision-resistant hash
> > function - blake2 is a good fit.  The 128-bit output is right on the
> > edge of being
> > strong enough.
> >
> > I submitted a very rough patch which does both, but I haven't had the
> > time to clean
> > the rough edges - the libdetectcoll codebase needs a fair amount of cleaning
> > (printfs etc), and the rsync codebase needs a fair bit of refactor to
> > handle hash
> > output lengths > 16 bytes.
>
> Was there any further progress with the rsync upstream?
> Are they planning to address this issue or is there no interest?
>
>   Vita Cizek

The last time this was discussed it was suggested to the reporter that a
fully working PoC be posted so the impact (or lack thereof) to rsync
might be evaluated.

Unless I missed it, this hasn't happened.

--mancha

Attachment: _bin
Description: