lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 2 Oct 2011 00:43:14 +0200
From:	Willy Tarreau <w@....eu>
To:	Andy <akwatts@...il.com>
Cc:	schwab@...ux-m68k.org, Greg KH <greg@...ah.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: kernel.org status: hints on how to check your machine for intrusion

On Sat, Oct 01, 2011 at 01:40:44PM -0500, Andy wrote:
> On Sat, Oct 01, 2011 at 07:54:56PM +0200, Willy Tarreau wrote:
> >   $ git config tar.umask 022
> 
> Andreas/Willy:
> 
> It was indeed umask which was skewing the results. Thanks.
> 
> Now, I'll wait for Willy's hashes since I can't drill down on
> Linus' 2.6 tree beyond 2.6.x.

OK, I already have something. For now I have all the tar.gz and the
extracted tar hashes, and a number of the git hashes. I'm appending
the file, it's incomplete, as I'm missing some git tags (hashes are
then marked "xxxxx...xxxx".

The file is formated like this :

  <version> <umask> <user> <group> <tag md5> <tar md5> <tar.gz md5> <status>

Since I can attest that I exclusively extracted the tarballs from the
tar.gz and dumped their md5 at the same time, I'm pretty sure that the
tar.gz's md5 is OK if the tar's md5 is OK. This will help speed up sig
checks on mirrors.

All the times I got a different MD5 between the tarball and the git
tag was because of a different user name in the tarball. It seems
that old git versions used to use "git/git" instead of "root/root"
now. This is hardcoded so it's not easy to change it, and I suspect
that the tar format might have changed a bit, so if we want to check
those MD5s, either we check on old mirrors that are 100% safe, or we
have to reinstall an old version of git. The differences are for the
following kernels only :

2.6.11 002 torvalds torvalds b390eb0350b4f953a53c16dd5c28810e 6aa8e0b14cdab0757b9474e1a7fb3124 41bb11f9ec307706683c5661f140123e
2.6.12 022 git git 7d26979a123817f8386c12c5abb0e20d 2fbb5cbd5fe9b57861c6e4167a292613 6050857c0808975dc0ee58bc9804ee20
2.6.13 022 git git 8ae2c8d9d4f5cab99d4d21019dddf6a4 e0f2e6fe9c81a01b3d69ff4454e0c415 8978c9b3976fae17923ef3e511b54a26
2.6.14 022 git git 8ee2b4548d71cfa1079ecc2e30723434 9214cedf82c7c5f5639fe40e7c77139a 396029ab7d62bce01122ac50c004a43f
2.6.15 022 git git 2c970565ab3d24d56501091757359bb8 6adddd15e10f2ff228c70733e2e762b3 873a00a1a20d7ccaad2eedc98109d6e1
2.6.18 022 git git fa24e3245d8cb475ebffba763912063c ad43dd75219d9e6a8a9460bbf5f65b3e bc483723670bda09198d72293e712d42
2.6.19 022 git git 2630dcec21807a23b8f3c1d3463a9537 be8a46187734cdb911bb4aa37f864f5a 267a9479c6c6a79a0b2f511ddcc17147
2.6.20.6 022 git git 4300abbeb91cc50b48c086c2c329eab8 a4acbfe6fc54823d96dc257a2595257f fdd2e0336ec063cb8f6a4f36b0a3d257

So far, according to the attached list, 225 out of 478 checked kernel
versions are valid, and I have not found a kernel with an unexpected
mismatch. I have appended a "GOOD" flag on their line. The equivalent
md5sum file can be built this way :

   awk '/GOOD/{print $7"  linux-"$1".tar.gz"}' 26-report4.txt > 26-good.md5

... or it may be fed to md5sum directly :

   awk '/GOOD/{print $7"  linux-"$1".tar.gz"}' 26-report4.txt | md5sum -c

Please note that longterm kernels were moved to specific directories,
which made it a bit cumbersome to retrieve the kernels. There is no
reason it will be easier for you to check your files ;-)

I'm still downloading and extracting all tar.bz2 files to compare their
sigs with the ones in the current file. That way we'll have the whole
list with all reference MD5 sigs available.

I would really appreciate it if someone who has all the missing tags
would fill the entries which currently are marked "xxxxxxxx".

For now I did not consider 3.x since it's in a different download
directory. We might check that later.

Regards,
Willy


View attachment "26-report4.txt" of type "text/plain" (59475 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ