On Mon, May 11, 2015 at 12:50 AM, yhu2 <yadi...@windriver.com> wrote:

> whether or not  CVE-2014-8242 affects rsync? any commnet would be
> appreciated!!

Yes.  It would be extremely hard for someone to trigger that via indirect
means (such as inserting DB data and managing to match a checksum record
boundary in contents somehow).  So, it has a very small potential to cause
a particular file to fail to transfer with a bad file-checksum.  I've made
a simple change that should avoid the issue:


With the seed value moved to the right spot, an attacker can't craft a
false-match record that works for any transfer.  And the truly paranoid can
use the --checksum-seed=NUM option with their own random-for-each-transfer
value, should they think that rsync's seed method is too simplistic.

I also plan to add a new checksum method, but that shouldn't be needed for
thwarting this issue.

Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Reply via email to