Friday, April 01, 2022

rsync zlib (was: Re: No more imports, prepare for 7.1)

Christian Weisgerber:

> * There was that recent zlib vulnerability.
> How about rsync?

There is a single call to deflateInit*() in rsync, found in token.c:

if (deflateInit2(&tx_strm, compression_level,
Z_DEFLATED, -15, 8,
Z_DEFAULT_STRATEGY) != Z_OK) {

The originally reported Z_FIXED vulnerability doesn't affect this.

Eric Biggers' reproducer for

deflateInit2(&strm, 7, Z_DEFLATED, 15, 1, Z_DEFAULT_STRATEGY);

is also not applicable if you read his report:
https://www.openwall.com/lists/oss-security/2022/03/28/1

So it looks like the way rsync uses its modified private copy of
zlib is safe.

--
Christian "naddy" Weisgerber naddy@mips.inka.de

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)