oss-sec mailing list archives

Re: Re: [CVE Requests] rsync and librsync collisions

From: Vitezslav Cizek <civ () blema cz>
Date: Fri, 10 Apr 2015 11:26:53 +0200

Hi Michael,

* Dne Thursday 18. September 2014, 04:30:22 [CEST] Michael Samuel napsal:

Ok, for rsync you can download colliding blocks (and a brief description) here:

https://github.com/therealmik/rsync-collision

I don't get the feeling that this will be fixed upstream, but a simple
fix would be
to incorporate libdetectcoll from Marc Stevens into rsync, and when a collision
attempt is detected to simply send a data block.

A longer-term would be to just replace MD5 with a collision-resistant hash
function - blake2 is a good fit.  The 128-bit output is right on the
edge of being
strong enough.

I submitted a very rough patch which does both, but I haven't had the
time to clean
the rough edges - the libdetectcoll codebase needs a fair amount of cleaning
(printfs etc), and the rsync codebase needs a fair bit of refactor to
handle hash
output lengths > 16 bytes.


Was there any further progress with the rsync upstream?
Are they planning to address this issue or is there no interest?

  Vita Cizek

Current thread:

Re: Re: [CVE Requests] rsync and librsync collisions Vitezslav Cizek (Apr 10)
- Re: Re: [CVE Requests] rsync and librsync collisions mancha (Apr 10)
  - Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Apr 10)
    - Re: Re: [CVE Requests] rsync and librsync collisions mancha (Apr 10)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Apr 10)
  - Re: Re: [CVE Requests] rsync and librsync collisions mancha (Apr 10)
  - Re: Re: [CVE Requests] rsync and librsync collisions Kurt Seifried (Apr 10)
    - Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Apr 10)
    - Re: Re: [CVE Requests] rsync and librsync collisions Kurt Seifried (Apr 10)