A question about CVE-2014-8242
Wayne Davison
wayned at samba.org
Mon May 11 15:19:16 MDT 2015
On Mon, May 11, 2015 at 12:50 AM, yhu2 <yadi.hu at windriver.com> wrote:
> whether or not CVE-2014-8242 affects rsync? any commnet would be
> appreciated!!
>
Yes. It would be extremely hard for someone to trigger that via indirect
means (such as inserting DB data and managing to match a checksum record
boundary in contents somehow). So, it has a very small potential to cause
a particular file to fail to transfer with a bad file-checksum. I've made
a simple change that should avoid the issue:
https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869
With the seed value moved to the right spot, an attacker can't craft a
false-match record that works for any transfer. And the truly paranoid can
use the --checksum-seed=NUM option with their own random-for-each-transfer
value, should they think that rsync's seed method is too simplistic.
I also plan to add a new checksum method, but that shouldn't be needed for
thwarting this issue.
..wayne..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20150511/1ea3a626/attachment.html>
More information about the rsync
mailing list