lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 2 Oct 2011 08:59:57 +0200
From:	Willy Tarreau <w@....eu>
To:	Greg KH <greg@...ah.com>
Cc:	Andy <akwatts@...il.com>, tmhikaru@...il.com,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	hpa@...or.com
Subject: Re: kernel.org status: hints on how to check your machine for intrusion

On Sat, Oct 01, 2011 at 09:39:48PM -0700, Greg KH wrote:
> I've did this a while ago when we were working on verifying the
> tarballs, here's what I got, one column is with the umask unset, and the
> other set to 022, both of them being the sha256sum output.

Thank you very much Greg, that was really helpful.

I re-ran the checks on all those images here. I have updated the
table with a tag "SHA256-COMPARED-OK" instead of the MD5 for the
git tag when I could check that the sha256 of the .tar matched
your tag.

The script ran almsot all the night to check the bz2. I'm posting
here what I have. All the 2.6 kernels between 2.6.0 and 2.6.39.4
have been hashed. The .tar extracted from the .gz and .bz2 always
matched. All tar sums that could be compared to a valid git tag
did match too. I'm attaching the report in the following format :

  version umask user group tagmd5 tarmd5 gzmd5 bz2md5 status

I ran the test on 3.0 with sha256 too and could verify that all of the
tags match the tarballs, and that .gz and .bz2 produce the same tarballs.
I'm appending here the sha256 of all of them :

7f7498f6fe78474b986ee2fd617e4def35041547b2d6f5fd6b347dac592e399c  linux-3.0.tar
64b0228b54ce39b0b2df086109a7b737cde58e3df4f779506ddcaccee90356a0  linux-3.0.tar.bz2
37e8a1b5d1e488cd9a57cb601d2647ea122fd5a7644a6c535d98282925d025e4  linux-3.0.tar.gz
5296531e3dbf7bf55573a2f400403061340eec801ecbaade9793791827bd5b1f  linux-3.0.1.tar
8603c451d6779f55175c2c96a92a40177c89ed4e0217501258214a64c9c4e127  linux-3.0.1.tar.bz2
c786d357d61719bee5da6a37cd01a0061c5a9fa3854334473e68dc0761b56874  linux-3.0.1.tar.gz
d2c0636033bbfc6722e71b566cdc95265cf10af300ff2c3f8fba9ab7ec63b725  linux-3.0.2.tar
0bf66062e2bc23e6fe6fddb329fe06c6994ba5b016c89e2afdf093c059b5c035  linux-3.0.2.tar.bz2
e5a605780183e90bb23784b27ff835215a3ccefaf414bffee375d6bae4bf7048  linux-3.0.2.tar.gz
92769e812e8fc83b226e97d5732d2a0eb96e598f096b4f10085b0352be7492e1  linux-3.0.3.tar
b6a035d724a85f52b6973d11f43a3d215a3226dafc74ea89b8479d4cd4896788  linux-3.0.3.tar.bz2
298b66f3a3d71aa0b6a9ebe73f67b22974e1de51c4093abfd419f462e3c8246f  linux-3.0.3.tar.gz
ca42bbbffb6db60f16a7870bc1f3ddc872596d9ef1bc4794377ed1da101f14f9  linux-3.0.4.tar
13d689714502ed0e4d6224dd322be8b1b4fe39aa3471fd892bb09c181b93d7ef  linux-3.0.4.tar.bz2
0de107e7d73709d772e87dc08ef846b4f7616525a22890430cdb77929cd999f1  linux-3.0.4.tar.gz

That way it's not needed to decompress tarballs anymore to check them,
it's enough to check their sigs using "sha256sum -c".

At this point I don't think it's worth the effort of checking the old
kernels which I was missing nor the ones archived with git/git/000.

Also, I noticed that the 3.0 kernel has umask 002 again.

Hoping this helps,
Willy


View attachment "26-report5.txt" of type "text/plain" (75334 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ