Re: Re: [CVE Requests] rsync and librsync collisions

[Michael Samuel <mik () miknet net>]

Hi Kurt,

Murray McAllister handled the response to this when I reported it to secalert@
but it's currently languishing in BZ#1126713

If you want I can send my patch as a starting point - it got really
nasty because
nobody considered that strong sums would be >16 bytes when writing rsync.

Regards,
  Michael

On 11 April 2015 at 13:40, Kurt Seifried <kseifried () redhat com> wrote:
> If you'd like Red Hat can:
>
> 1) handle disclosure coordination (like we do for OpenSSL)
>
> and/or
>
> 2) handle patching/etc, we ship rsync so this is obviously of interest
> to us.
>
> Contact secalert () redhat com if you want and either myself or a coworker
> will handle this. Thanks!
>
> On 04/10/2015 08:06 PM, Michael Samuel wrote:
> > Hi,
> >
> > On 10 April 2015 at 19:26, Vitezslav Cizek <civ () blema cz> wrote:
> >
> > > Was there any further progress with the rsync upstream?
> > > Are they planning to address this issue or is there no interest?
> >
> > No further progress with upstream, it's possible that rsync is abandoned.
> >
> > Regards,
> >   Michael
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993