Mandriva Linux Security Advisory 2015-204 - librsync before 1.0.0 used a truncated MD4 strong check sum to match blocks. However, MD4 is not cryptographically strong. It's possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it's transferred using librsync/rdiff. The change to fix this is not backward compatible with older versions of librsync. Backward compatibility can be obtained using the new rdiff sig --hash=md4 option or through specifying the signature magic in the API, but this should not be used when either the old or new file contain untrusted data. Also, any applications that use the librsync library will need to be recompiled against the updated library. The rdiff-backup packages have been rebuilt for this reason.
f38e16d3da5b3852e8cc748629c4c028e924bad76e990f1120415ab0a14a350e-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:204
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : librsync
Date : April 27, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated librsync packages fix security vulnerability:
librsync before 1.0.0 used a truncated MD4 strong check sum to match
blocks. However, MD4 is not cryptographically strong. It's possible
that an attacker who can control the contents of one part of a file
could use it to control other regions of the file, if it's transferred
using librsync/rdiff (CVE-2014-8242).
The change to fix this is not backward compatible with older versions
of librsync. Backward compatibility can be obtained using the new
rdiff sig --hash=md4 option or through specifying the signature magic
in the API, but this should not be used when either the old or new
file contain untrusted data.
Also, any applications that use the librsync library will need to
be recompiled against the updated library. The rdiff-backup packages
have been rebuilt for this reason.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8242
http://advisories.mageia.org/MGASA-2015-0146.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
e9e5dbb84ff6effa94d8b37d805e4500 mbs1/x86_64/lib64rsync2-1.0.0-1.mbs1.x86_64.rpm
db4b256939b54eb5919eceedf50f4192 mbs1/x86_64/lib64rsync-devel-1.0.0-1.mbs1.x86_64.rpm
ffaaf1c1364528d0c18bdda8cf514c34 mbs1/x86_64/rdiff-1.0.0-1.mbs1.x86_64.rpm
fd173f99aecfaa9d1d8d9af132b136b6 mbs1/x86_64/rdiff-backup-1.3.3-6.1.mbs1.x86_64.rpm
707dc6da51d7451541ce83400ee33f3a mbs1/SRPMS/librsync-1.0.0-1.mbs1.src.rpm
eb91121a971f6079d3b666419e08e0db mbs1/SRPMS/rdiff-backup-1.3.3-6.1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVPdL8mqjQ0CJFipgRAprPAJ4l7XA1SlpS/qCd5HNzGYLW8whXcQCgr5/s
n+CANdFiuTkPt47IUCpSzlc=
=1RLm
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed