On 9/9/22 1:58 PM, Vincent Bernat wrote:
On 2022-09-09 19:36, Matt Corallo wrote:
The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory
Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(
It's explained in the manual page: https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURI...
Heh, right, so not in any of the disclosure posts :p
(but it may be shared with several peers)
I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no?
Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory. Looking at cfrpki, it looks like it works this way (didn't test).
Hmm, ouch, is there a corresponding security disclosure from cfrpki? I guess cfrpki sees pretty limited use these days. Thanks, Matt