Thanks great!!!.
Yadi
On 05/12/2015 05:19 AM, Wayne Davison wrote:
On Mon, May 11, 2015 at 12:50 AM, yhu2 <yadi...@windriver.com
<mailto:yadi...@windriver.com>> wrote:
whether or not CVE-2014-8242 affects rsync? any commnet would be
appreciated!!
Yes. It would be extremely hard for someone to trigger that via
indirect means (such as inserting DB data and managing to match a
checksum record boundary in contents somehow). So, it has a very
small potential to cause a particular file to fail to transfer with a
bad file-checksum. I've made a simple change that should avoid the issue:
https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869
With the seed value moved to the right spot, an attacker can't craft a
false-match record that works for any transfer. And the truly
paranoid can use the --checksum-seed=NUM option with their own
random-for-each-transfer value, should they think that rsync's seed
method is too simplistic.
I also plan to add a new checksum method, but that shouldn't be needed
for thwarting this issue.
..wayne..
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
