<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><br>
Thanks great!!!.<br>
<br>
Yadi<br>
<br>
On 05/12/2015 05:19 AM, Wayne Davison wrote:<br>
</div>
<blockquote
cite="mid:CAHSx_StDE7drBpKUqvW6vJ_d5qx1ZkVHBt+BfyWNiOx8EhhKpw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Mon, May 11, 2015 at 12:50 AM,
yhu2 <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:yadi.hu@windriver.com" target="_blank">yadi.hu@windriver.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">whether
or not CVE-2014-8242 affects rsync? any commnet would be
appreciated!!<br>
</blockquote>
<div><br>
</div>
<div>Yes. It would be extremely hard for someone to trigger
that via indirect means (such as inserting DB data and
managing to match a checksum record boundary in contents
somehow). So, it has a very small potential to cause a
particular file to fail to transfer with a bad
file-checksum. I've made a simple change that should
avoid the issue:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869">https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869</a><br>
</div>
<div><br>
</div>
<div>With the seed value moved to the right spot, an
attacker can't craft a false-match record that works for
any transfer. And the truly paranoid can use the
--checksum-seed=NUM option with their own
random-for-each-transfer value, should they think that
rsync's seed method is too simplistic.</div>
<div><br>
</div>
<div>I also plan to add a new checksum method, but that
shouldn't be needed for thwarting this issue.</div>
<div><br>
</div>
<div>
<div>
<div class="gmail_signature">..wayne..</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>