[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Change to librsync

From: Robert Nichols
Subject: Re: [rdiff-backup-users] Change to librsync
Date: Sun, 22 Feb 2015 08:32:53 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

On 02/21/2015 09:05 PM, Frank Crawford wrote:

By the looks of it, the following security change to librsync will have
some effect on rdiff-backup:

Changes in librsync 1.0.0 (2015-01-23)

* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4
"strong" check sum to match blocks. However, MD4 is not
cryptographically strong. It's possible that an attacker who can control
the contents of one part of a file could use it to control other regions
of the file, if it's transferred using librsync/rdiff. For example this
might occur in a database, mailbox, or VM image containing some
attacker-controlled data.

To mitigate this issue, signatures will by default be computed with a
256-bit BLAKE2 hash. Old versions of librsync will complain about a bad
magic number when given these signature files.
So, does anyone know what the effect will be on rdiff-backup?

The only sums that rdiff-backup retains are SHA1 sums, so I doubt that
whatever librsync uses internally would have any effect.

Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]