Bugzilla – Bug 900914
VUL-1: CVE-2014-8242: librsync, rsync: checksum collisions leading to a denial of service
Last modified: 2019-04-26 09:31:43 UTC
rh#1126712 References: https://bugzilla.redhat.com/show_bug.cgi?id=1126712
From http://www.openwall.com/lists/oss-security/2014/10/13/2: > Use CVE-2014-8242 for this vulnerability in librsync; this CVE ID does > not apply to rsync. This CVE is for librsync, rsync hasn't got one yet.
bugbot adjusting priority
From http://www.openwall.com/lists/oss-security/2014/09/18/1 it seems that it can take quite some time until it's fixed in rsync upstream. The PoC patch isn't publicly available.
POC: https://github.com/therealmik/rsync-collision
POC for librsync: https://github.com/therealmik/librsync-collision
patch and discussion https://github.com/librsync/librsync/issues/5. We should download the last version and diff it. the first commit was https://github.com/librsync/librsync/commit/152323729ac831727032daf50a10c1448b48f252, but after that new code was added on top of that.
This is an autogenerated message for OBS integration: This bug (900914) was mentioned in https://build.opensuse.org/request/show/286356 Factory / librsync https://build.opensuse.org/request/show/286357 13.2 / librsync https://build.opensuse.org/request/show/286358 13.1 / librsync
just factory and opensuse are affected?
(In reply to Victor Pereira from comment #10) > just factory and opensuse are affected? Nope, the openSUSE was rejected, the upstream changed api+abi and I would actually have to fix all the depending packages too. So this will be FUN when you guys decide you really want the fix. Also everything is technically affected.
I asked on oss-sec about rsync: http://www.openwall.com/lists/oss-security/2015/04/11/3 There seems to be no progress at all since the initial report.
Finally there's a fix (and a possible workaround) for rsync: https://bugzilla.redhat.com/show_bug.cgi?id=1197601#c4
rsync upstream added a compatibility flag that will make rsync process the checksum seed prior to the data to avoid the collisions. This change is backwards compatible, the flag will be set only if both the client and the server support it.
This is an autogenerated message for OBS integration: This bug (900914) was mentioned in https://build.opensuse.org/request/show/337006 13.2+13.1+Leap:42.1 / rsync+rsync.openSUSE_Leap_42.1
This is an autogenerated message for OBS integration: This bug (900914) was mentioned in https://build.opensuse.org/request/show/338846 Leap:42.1 / rsync
openSUSE-SU-2015:1752-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 898513,900914,922710 CVE References: CVE-2014-8242 Sources used: openSUSE 13.2 (src): rsync-3.1.1-2.7.1 openSUSE 13.1 (src): rsync-3.1.0-21.15.1
Created attachment 655537 [details] rsync patch for SLE-11 Backported commit eac858085e3ac94ec0ab5061d11f52652c90a869.
An update workflow for this issue was started. This issue was rated as "low". Please submit fixed packages until "Jan. 18, 2016". When done, reassign the bug to "security-team@suse.de". /update/121217/.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-01-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62401
An update workflow for this issue was started. This issue was rated as "low". Please submit fixed packages until "Jan. 15, 2016". When done, reassign the bug to "security-team@suse.de". /update/62416/.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-01-22. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62416
SUSE-SU-2016:0173-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 898513,900914,915410,922710 CVE References: CVE-2014-8242,CVE-2014-9512 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): rsync-3.1.0-6.1 SUSE Linux Enterprise Server 12 (src): rsync-3.1.0-6.1 SUSE Linux Enterprise Desktop 12-SP1 (src): rsync-3.1.0-6.1 SUSE Linux Enterprise Desktop 12 (src): rsync-3.1.0-6.1
SUSE-SU-2016:0176-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 900914,915410 CVE References: CVE-2014-8242,CVE-2014-9512 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Server 11-SP4 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Server 11-SP3 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Desktop 11-SP4 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Desktop 11-SP3 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): rsync-3.0.4-2.49.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): rsync-3.0.4-2.49.1
This is an autogenerated message for OBS integration: This bug (900914) was mentioned in https://build.opensuse.org/request/show/698102 15.1 / rsync