lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111002053540.GI18690@1wt.eu>
Date:	Sun, 2 Oct 2011 07:35:40 +0200
From:	Willy Tarreau <w@....eu>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	Andy <akwatts@...il.com>, schwab@...ux-m68k.org,
	Greg KH <greg@...ah.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: kernel.org status: hints on how to check your machine for intrusion

Hi Peter,

On Sat, Oct 01, 2011 at 05:10:44PM -0700, H. Peter Anvin wrote:
> On 10/01/2011 03:43 PM, Willy Tarreau wrote:
> > 
> >   <version> <umask> <user> <group> <tag md5> <tar md5> <tar.gz md5> <status>
> > 
> > Since I can attest that I exclusively extracted the tarballs from the
> > tar.gz and dumped their md5 at the same time, I'm pretty sure that the
> > tar.gz's md5 is OK if the tar's md5 is OK. This will help speed up sig
> > checks on mirrors.
> > 
> 
> By the way, it's usually better to use sha256 or something else more
> modern than MD5.

I know but I wanted to use something fast enough on this small
machine. sha256sum is 3.5 times slower than md5sum. Also, we're
not necessarily looking for an issue by which someone would have
spent his time trying to make an md5 collision here ; re-signing
a modified tarball with gpg as root would have been a lower hanging
fruit.

That said, once we know the tarballs are fine, it will not be that
hard to rebuild the sha256 of the compressed tarballs and match them
against existing images.

> > All the times I got a different MD5 between the tarball and the git
> > tag was because of a different user name in the tarball. It seems
> > that old git versions used to use "git/git" instead of "root/root"
> > now.
> 
> Yes, that change was introduced in git-1.5.0-rc1.

I noticed your comment on this in another mail, thanks for the details.

> > This is hardcoded so it's not easy to change it, and I suspect
> > that the tar format might have changed a bit, so if we want to check
> > those MD5s, either we check on old mirrors that are 100% safe, or we
> > have to reinstall an old version of git.
> 
> ... or extract the tarball and diff the contents versus the git tree.

Indeed.

Regards,
Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ