[SECURITY] rdiff/librsync, rdiff-backup

[SECURITY] rdiff/librsync, rdiff-backup

[Yaakov Selkowitz]

David,

A checksum collision vulnerability has been found in librsync (rdiff):

https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17

The solution is to update librsync to 1.0.0; you may wish to consider
the following patch as well:

http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch

Please note that both Fedora and Debian call the main package librsync
based on upstream packaging, from which rdiff could be a subpackage.
The different naming of this package threw me off for a while.  Any
chance we could shuffle the packaging around (I can help with the server
side)?

Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
namely rdiff-backup, which requires the following patch:

http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch

You may wish to consider the following patches for rdiff-backup as well:

http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch

TIA,

Yaakov

Re: [SECURITY] rdiff/librsync, rdiff-backup

[David Rothenberger]

On 6/2/2015 2:21 PM, Yaakov Selkowitz wrote:
> David,
> 
> A checksum collision vulnerability has been found in librsync (rdiff):
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17
> 
> The solution is to update librsync to 1.0.0; you may wish to consider
> the following patch as well:
> 
> http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch
> 
> Please note that both Fedora and Debian call the main package librsync
> based on upstream packaging, from which rdiff could be a subpackage.
> The different naming of this package threw me off for a while.  Any
> chance we could shuffle the packaging around (I can help with the server
> side)?
> 
> Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
> namely rdiff-backup, which requires the following patch:
> 
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch
> 
> You may wish to consider the following patches for rdiff-backup as well:
> 
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch

Thanks for the detailed information. I'll take a look at this over the
weekend. I'll upload the new packages once I get them built and send
another email so you can shuffle things around on the server side.

-- 
David Rothenberger  ----  daveroth@acm.org

Kaufman's First Law of Party Physics:
        Population density is inversely proportional
        to the square of the distance from the keg.

Re: [SECURITY] rdiff/librsync, rdiff-backup

[David Rothenberger]

On 6/2/2015 2:21 PM, Yaakov Selkowitz wrote:
> Please note that both Fedora and Debian call the main package librsync
> based on upstream packaging, from which rdiff could be a subpackage.
> The different naming of this package threw me off for a while.  Any
> chance we could shuffle the packaging around (I can help with the server
> side)?

Yaakov,

I've uploaded new librsync packages, but have not created the !ready
file. Would you please shuffle the packaging around?

I have new rdiff-backup packages ready as well; I'll upload those as
soon as librsync is done.

Thanks,
David

-- 
David Rothenberger  ----  daveroth@acm.org

"... an experienced, industrious, ambitious, and often quite often
picturesque liar."
                -- Mark Twain

Re: [SECURITY] rdiff/librsync, rdiff-backup

[Yaakov Selkowitz]

On Sun, 2015-06-07 at 15:35 -0700, David Rothenberger wrote:
> I've uploaded new librsync packages, but have not created the !ready
> file. Would you please shuffle the packaging around?

Done, librsync-1.0.0 is in place now.

> I have new rdiff-backup packages ready as well; I'll upload those as
> soon as librsync is done.

Whenever you're ready.

Thanks,

Yaakov