Re: A question about CVE-2014-8242
On Mon, May 11, 2015 at 10:38 PM, yhu2 yadi...@windriver.com wrote: Thanks your explanation, how about MD4 (rsync protocal 30)? any comment would be appreciated!! The MD4 checksum in older protocols doesn't have the issue. ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: A question about CVE-2014-8242
On Mon, May 11, 2015 at 12:50 AM, yhu2 yadi...@windriver.com wrote: whether or not CVE-2014-8242 affects rsync? any commnet would be appreciated!! Yes. It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow). So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum. I've made a simple change that should avoid the issue: https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869 With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer. And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic. I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue. ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: A question about CVE-2014-8242
wayne. Thanks your explanation, how about MD4 (rsync protocal 30)? any comment would be appreciated!! Thanks again. Yadi On 05/12/2015 05:19 AM, Wayne Davison wrote: On Mon, May 11, 2015 at 12:50 AM, yhu2 yadi...@windriver.com mailto:yadi...@windriver.com wrote: whether or not CVE-2014-8242 affects rsync? any commnet would be appreciated!! Yes. It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow). So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum. I've made a simple change that should avoid the issue: https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869 With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer. And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic. I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue. ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: A question about CVE-2014-8242
Thanks great!!!. Yadi On 05/12/2015 05:19 AM, Wayne Davison wrote: On Mon, May 11, 2015 at 12:50 AM, yhu2 yadi...@windriver.com mailto:yadi...@windriver.com wrote: whether or not CVE-2014-8242 affects rsync? any commnet would be appreciated!! Yes. It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow). So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum. I've made a simple change that should avoid the issue: https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869 With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer. And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic. I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue. ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html