Re: [rdiff-backup-users] Change to librsync

rdiff-backup-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Change to librsync

From:	Robert Nichols
Subject:	Re: [rdiff-backup-users] Change to librsync
Date:	Sun, 22 Feb 2015 08:32:53 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

On 02/21/2015 09:05 PM, Frank Crawford wrote:

Folks,

By the looks of it, the following security change to librsync will have
some effect on rdiff-backup:

====
Changes in librsync 1.0.0 (2015-01-23)

* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4
"strong" check sum to match blocks. However, MD4 is not
cryptographically strong. It's possible that an attacker who can control
the contents of one part of a file could use it to control other regions
of the file, if it's transferred using librsync/rdiff. For example this
might occur in a database, mailbox, or VM image containing some
attacker-controlled data.

To mitigate this issue, signatures will by default be computed with a
256-bit BLAKE2 hash. Old versions of librsync will complain about a bad
magic number when given these signature files.

[SNIP]

So, does anyone know what the effect will be on rdiff-backup?


The only sums that rdiff-backup retains are SHA1 sums, so I doubt that
whatever librsync uses internally would have any effect.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

[Prev in Thread]

Current Thread

[Next in Thread]

[rdiff-backup-users] Change to librsync, Frank Crawford, 2015/02/21
- Re: [rdiff-backup-users] Change to librsync, Robert Nichols <=

Prev by Date: [rdiff-backup-users] Change to librsync
Next by Date: [rdiff-backup-users] rdiff-backup millions of small files and memory usage
Previous by thread: [rdiff-backup-users] Change to librsync
Next by thread: [rdiff-backup-users] rdiff-backup millions of small files and memory usage
Index(es):
- Date
- Thread