librsync and rsync vulnerability to maliciously crafted data. was Re: MD4 checksum_seed

Eran Tromer rsync2eran at
Thu Apr 8 09:57:34 GMT 2004


On 2004/04/05 07:21, Donovan Baarda wrote:
> there are four ways crafted blocks can be use;
> 1) two crafted blocks in the "original" file
> 2) two crafted blocks in the "target" file
> 3) a crafted pair of "target" and "original" files with matching
> block(s)
> 4) a block in the "target" crafted to match a block in the "original"
> Summary;
> case 2) has no impact
> case 4) is of minimal impact in rsync, and sufficiently hard in
> librsync.
> librsync needs a whole file checksum. Without it, it silently fails for
> case 1), 3), and 4).
> librsync could benefit from a random checksum_seed. It would need to be
> included in the signature. Without it librsync is vulnerable to cases 1)
> and 3).
> rsync shouldn't need a fixed seed for batch modes... just store the seed
> in the signature. using a fixed seed makes it vulnerable to 1) and 3).

I fully agree with your analysis.
I'll just note that in many situations, case 2 can be elevated to case 3
simply by transferring the file twice.


More information about the rsync mailing list