A question about CVE-2014-8242

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

A question about CVE-2014-8242

yhu2
Hi,everyone here:

whether or not  CVE-2014-8242 affects rsync? any commnet would be
appreciated!!

Yadi
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

Re: A question about CVE-2014-8242

Wayne Davison-2
On Mon, May 11, 2015 at 12:50 AM, yhu2 <[hidden email]> wrote:
whether or not  CVE-2014-8242 affects rsync? any commnet would be appreciated!!

Yes.  It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow).  So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum.  I've made a simple change that should avoid the issue:


With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer.  And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic.

I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue.

..wayne..

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

Re: A question about CVE-2014-8242

yhu2

Thanks great!!!.

Yadi

On 05/12/2015 05:19 AM, Wayne Davison wrote:
On Mon, May 11, 2015 at 12:50 AM, yhu2 <[hidden email]> wrote:
whether or not  CVE-2014-8242 affects rsync? any commnet would be appreciated!!

Yes.  It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow).  So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum.  I've made a simple change that should avoid the issue:


With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer.  And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic.

I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue.

..wayne..


--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

Re: A question about CVE-2014-8242

yhu2
In reply to this post by Wayne Davison-2
wayne.

Thanks your explanation, how about MD4 (rsync protocal <30)?  any comment would be appreciated!!

Thanks again.

Yadi

On 05/12/2015 05:19 AM, Wayne Davison wrote:
On Mon, May 11, 2015 at 12:50 AM, yhu2 <[hidden email]> wrote:
whether or not  CVE-2014-8242 affects rsync? any commnet would be appreciated!!

Yes.  It would be extremely hard for someone to trigger that via indirect means (such as inserting DB data and managing to match a checksum record boundary in contents somehow).  So, it has a very small potential to cause a particular file to fail to transfer with a bad file-checksum.  I've made a simple change that should avoid the issue:


With the seed value moved to the right spot, an attacker can't craft a false-match record that works for any transfer.  And the truly paranoid can use the --checksum-seed=NUM option with their own random-for-each-transfer value, should they think that rsync's seed method is too simplistic.

I also plan to add a new checksum method, but that shouldn't be needed for thwarting this issue.

..wayne..


--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

Re: A question about CVE-2014-8242

Wayne Davison-2

On Mon, May 11, 2015 at 10:38 PM, yhu2 <[hidden email]> wrote:
Thanks your explanation, how about MD4 (rsync protocal <30)?  any comment would be appreciated!!

The MD4 checksum in older protocols doesn't have the issue.

..wayne..

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html