oss-sec mailing list archives
Re: Re: [CVE Requests] rsync and librsync collisions
From: Michael Samuel <mik () miknet net>
Date: Tue, 16 Sep 2014 15:47:09 +1000
On 13 September 2014 04:39, <cve-assign () mitre org> wrote:
The short answer is that we neither agree nor disagree at present; we think that either any required CVE assignment can be made by us after a full public disclosure, or any required CVE assignment can be made by a different CNA now.
The bug is publicly disclosed. The exploit isn't (and I believe list rules dictate that I can't post exploits here).
MITRE is not currently interested in receiving an advance copy of the full public disclosure or any related PoC information from anyone. We'll see whether the CNA process above can work.
I don't care who assigns the CVE, but it would be nice to be able to link the tickets for this together somehow. An experimental branch of librsync that uses blake2 is available here: https://github.com/therealmik/librsync/tree/blake2 Dropbox have responded that they have fixed this bug independently, but have not pushed anything out to their forked librsync github repo. I have not heard further from the rsync maintainer. I will publicly release colliding blocks and construction details soon, so if you use rsync on untrusted files, consider using the -W option to avoid a DoS. Regards, Michael
Current thread:
- [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Aug 04)
- Re: [CVE Requests] rsync and librsync collisions Murray McAllister (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions cve-assign (Sep 12)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 15)
- Re: Re: [CVE Requests] rsync and librsync collisions Michael Samuel (Sep 17)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Sep 08)
- Re: [CVE Requests] rsync and librsync collisions Loganaden Velvindron (Aug 04)