Thanks great!!!.


On 05/12/2015 05:19 AM, Wayne Davison wrote:
On Mon, May 11, 2015 at 12:50 AM, yhu2 < <>> wrote:

    whether or not  CVE-2014-8242 affects rsync? any commnet would be

Yes. It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow). So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum. I've made a simple change that should avoid the issue:;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869

With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer. And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic.

I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue.


Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options:
Before posting, read:

Reply via email to