rsync CVE-2022-29154 and RPKI Validation

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2022-09-09 19:36, Matt Corallo wrote:

>> The attacker is still limited to the target directory. The attacker 
>> can send files that were excluded or not requested, but they still end 
>> up in the target directory. RPKI validators download stuff in a 
>> dedicated download directory
> 
> Ah, okay, thanks, its a shame that wasn't included in any of the 
> disclosure posts I managed to find :(

It's explained in the manual page: 
https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY

>> (but it may be shared with several peers)
> 
> I assume I'm mis-reading this - RPKI servers aren't able to overwrite 
> output from other RPKI servers, so it shouldn't be shared, no?

Yes, it shouldn't, but maybe RPKI servers are still downloading all of 
them in a single directory. Looking at cfrpki, it looks like it works 
this way (didn't test).

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]