Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519108 - <net-misc/rsync-3.1.2: MD5 checksum collisions leading to a denial of service
Summary: <net-misc/rsync-3.1.2: MD5 checksum collisions leading to a denial of service
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-05 07:22 UTC by Agostino Sarubbo
Modified: 2016-05-30 20:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-05 07:22:23 UTC 
From ${URL} :

Michael Samuel discovered that rsync was vulnerable to checksum collisions. This could prevent 
rsync from running and syncing files successfully, which could break various applications that use 
and rely on rsync.

Details are available in the original report:

http://www.openwall.com/lists/oss-security/2014/07/28/1

This will require work with upstream to bring in Michael's proposed libdetectcoll and blake2b 
changes/get rsync to use something other than MD5.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-04-05 23:33:07 UTC 
Upstream Fix:

https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869

This fix was included in 3.1.2 release.

Added to existing GLSA.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-05-30 20:02:22 UTC 
This issue was resolved and addressed in
 GLSA 201605-04 at https://security.gentoo.org/glsa/201605-04
by GLSA coordinator Yury German (BlueKnight).