rsync CVE-2022-29154 and RPKI Validation

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/9/22 1:58 PM, Vincent Bernat wrote:
> On 2022-09-09 19:36, Matt Corallo wrote:
> 
>>> The attacker is still limited to the target directory. The attacker can send files that were 
>>> excluded or not requested, but they still end up in the target directory. RPKI validators 
>>> download stuff in a dedicated download directory
>>
>> Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to 
>> find :(
> 
> It's explained in the manual page: 
> https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY

Heh, right, so not in any of the disclosure posts :p

>>> (but it may be shared with several peers)
>>
>> I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI 
>> servers, so it shouldn't be shared, no?
> 
> Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory. 
> Looking at cfrpki, it looks like it works this way (didn't test).

Hmm, ouch, is there a corresponding security disclosure from cfrpki? I guess cfrpki sees pretty 
limited use these days.

Thanks,
Matt

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]