[librsync-devel] librsync and rsync vulnerability to
maliciously crafted data. was Re: MD4 checksum_seed
wayned at samba.org
Thu Apr 8 16:55:05 GMT 2004
On Thu, Apr 08, 2004 at 03:50:48PM +1000, Donovan Baarda wrote:
> I think I've just realised what you were getting at; if the
> checksum_seed is based on something like the whole file md4sum, it
> becomes repeatable, but unpredictable.
Not so. Copy the file once, and you'd get all the data you'd need to
create a new local file using a known-signature attack (as long as the
input file didn't change, and that's easy to predict for many files).
I also don't like the doubling of the I/O-cost on the sending side, so
I don't think this is a good way to go.
More information about the rsync