From owner-freebsd-security@FreeBSD.ORG Wed Aug 25 19:51:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D93E16A4CE for ; Wed, 25 Aug 2004 19:51:56 +0000 (GMT) Received: from device.dyndns.org (device.net1.nerim.net [62.212.100.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6777C43D4C for ; Wed, 25 Aug 2004 19:51:55 +0000 (GMT) (envelope-from guy@device.dyndns.org) Received: (from root@localhost) by device.dyndns.org (8.12.11/8.12.5) id i7PJpqHV078806; Wed, 25 Aug 2004 21:51:52 +0200 (CEST) (envelope-from guy@device.dyndns.org) Received: from pissenlit.device.local (pissenlit [10.0.0.88]) by device.dyndns.org (8.12.11/8.12.11) with ESMTP id i7PJpo0I078794; Wed, 25 Aug 2004 21:51:50 +0200 (CEST) (envelope-from guy@device.dyndns.org) From: guy@device.dyndns.org Message-ID: X-Mailer: XFMail 1.5.5 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> Date: Wed, 25 Aug 2004 21:51:50 +0200 (CEST) To: Mike Tancsa X-Scanned-Against-Virii: by an antivirus :] cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 19:51:56 -0000 On 18-Aug-2004 Mike Tancsa wrote: > As I have no crypto background to evaluate some of the (potentially wild > and erroneous) claims being made in the popular press* (eg > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing > that comes to mind is the safety of ports. If someone can pad an archive > to come up with the same MD5 hash, this would challenge the security of > the FreeBSD ports system no ? I _believe_ answer is "no", because i _think_ the FreeBSD ports system also verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see what made me think that). Padding would modify archive size. Finding a backdoored version that both satisfy producing the same hash and being the same size is probably not impossible, but how many years would it take ? Now, i may be wrong. Any enlightement welcome. -- Guy From owner-freebsd-security@FreeBSD.ORG Wed Aug 25 20:15:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A568E16A4CE for ; Wed, 25 Aug 2004 20:15:02 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8657243D69 for ; Wed, 25 Aug 2004 20:15:02 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id i7PKGeft004810; Wed, 25 Aug 2004 13:16:40 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id i7PKGe8G004809; Wed, 25 Aug 2004 13:16:40 -0700 Date: Wed, 25 Aug 2004 13:16:40 -0700 From: Brooks Davis To: guy@device.dyndns.org Message-ID: <20040825201640.GB25259@odin.ac.hmc.edu> References: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="O5XBE6gyVG5Rl6Rj" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 20:15:02 -0000 --O5XBE6gyVG5Rl6Rj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy@device.dyndns.org wrote: >=20 > On 18-Aug-2004 Mike Tancsa wrote: > > As I have no crypto background to evaluate some of the (potentially wil= d=20 > > and erroneous) claims being made in the popular press* (eg=20 > > http://news.com.com/2100-1002_3-5313655.html see quote below), one thin= g=20 > > that comes to mind is the safety of ports. If someone can pad an archi= ve > > to come up with the same MD5 hash, this would challenge the security of > > the FreeBSD ports system no ? >=20 > I _believe_ answer is "no", because i _think_ the FreeBSD ports system al= so > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see > what made me think that). >=20 > Padding would modify archive size. Finding a backdoored version that both > satisfy producing the same hash and being the same size is probably not > impossible, but how many years would it take ? I suspect the fact that the files are compressed also adds significantly to the difficultly since you don't have a whole lot of direct control over the bytes of the archive. Paranoia might suggest adding support for multiple hashes which would vastly increase the difficulty of finding a collision (unless the hashes used are broken in a very similar manner). If someone can create a =2Ebz2 containing a trojen that matches size, MD5, and SHA1, we're probably totally screwed anyway. ;-) If this were done, adding a tool to generate multiple hashes in one go would probably make the users happier since just reading some of the dist files can take a while. Hmm, one thing to think about might be making sure the various archive formats are hard to pad with junk. I think the stream based ones need to allow zero pading at the end to support tapes, but it would be intresting to see if other junk can end up in pading sections without the archiver noticing. If so, that would be a good thing to find a way to detect. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --O5XBE6gyVG5Rl6Rj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBLPOnXY6L6fI4GtQRAp4qAKDS1JoXjmkwZo3S6CaMPLZJHFBOVgCgiCzw qfo945swO/VjmAqNT2Pt2wY= =qf7/ -----END PGP SIGNATURE----- --O5XBE6gyVG5Rl6Rj-- From owner-freebsd-security@FreeBSD.ORG Wed Aug 25 22:08:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7836B16A4CE for ; Wed, 25 Aug 2004 22:08:16 +0000 (GMT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2644143D49 for ; Wed, 25 Aug 2004 22:08:14 +0000 (GMT) (envelope-from scott@g-it.ca) Received: from [70.64.67.67] (S0106000393801c60.ss.shawcable.net [70.64.67.67]) by blue.gerhardt-it.com (Postfix) with ESMTP id DFD66FDC0; Wed, 25 Aug 2004 16:08:12 -0600 (CST) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <40BEB77B-F6E3-11D8-B9B9-000393801C60@g-it.ca> Content-Transfer-Encoding: 7bit From: Scott Gerhardt Date: Wed, 25 Aug 2004 16:08:11 -0600 To: guy@device.dyndns.org X-Mailer: Apple Mail (2.619) cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 22:08:16 -0000 > > On 18-Aug-2004 Mike Tancsa wrote: >> As I have no crypto background to evaluate some of the (potentially >> wild >> and erroneous) claims being made in the popular press* (eg >> http://news.com.com/2100-1002_3-5313655.html see quote below), one >> thing >> that comes to mind is the safety of ports. If someone can pad an >> archive >> to come up with the same MD5 hash, this would challenge the security >> of >> the FreeBSD ports system no ? > > I _believe_ answer is "no", because i _think_ the FreeBSD ports system > also > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to > see > what made me think that). > > Padding would modify archive size. Finding a backdoored version that > both > satisfy producing the same hash and being the same size is probably not > impossible, but how many years would it take ? > > > Now, i may be wrong. Any enlightement welcome. > > -- > Guy > _______________________________________________ > Why not adopt the OpenBSD method for ports. OpenBSD supplies 3 hash/digests for downloaded binaries and sources. Those OpenBSD guys leave nothing to chance. ports/databases/postgresql] scott% cat distinfo MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf RMD160 (postgresql-7.3.5.tar.gz) = 83d5f713d7bfcf3ca57fb2bcc88d052982911d73 SHA1 (postgresql-7.3.5.tar.gz) = fbdab6ce38008a0e741f8b75e3b57633a36ff5ff Thanks, -- Scott A. Gerhardt, P.Geo. Gerhardt Information Technologies From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 07:34:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AE1816A4D1 for ; Thu, 26 Aug 2004 07:34:35 +0000 (GMT) Received: from mail.ki.iif.hu (mignon.ki.iif.hu [193.6.222.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53B5E43D3F for ; Thu, 26 Aug 2004 07:34:34 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id A740454FB; Thu, 26 Aug 2004 09:34:32 +0200 (CEST) Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 23656-02-8; Thu, 26 Aug 2004 09:34:26 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id 31F8B54EE; Thu, 26 Aug 2004 09:34:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 2FA8C54EC; Thu, 26 Aug 2004 09:34:26 +0200 (CEST) Date: Thu, 26 Aug 2004 09:34:26 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Scott Gerhardt In-Reply-To: <40BEB77B-F6E3-11D8-B9B9-000393801C60@g-it.ca> Message-ID: <20040826091143.S63227@mignon.ki.iif.hu> References: <40BEB77B-F6E3-11D8-B9B9-000393801C60@g-it.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at mail.ki.iif.hu cc: freebsd-security@freebsd.org cc: Oliver Eikemeier Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 07:34:35 -0000 On Wed, 25 Aug 2004, Scott Gerhardt wrote: > >> >> On 18-Aug-2004 Mike Tancsa wrote: >>> As I have no crypto background to evaluate some of the (potentially wild >>> and erroneous) claims being made in the popular press* (eg >>> http://news.com.com/2100-1002_3-5313655.html see quote below), one thing >>> that comes to mind is the safety of ports. If someone can pad an archive >>> to come up with the same MD5 hash, this would challenge the security of >>> the FreeBSD ports system no ? >> >> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also >> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see >> what made me think that). >> >> Padding would modify archive size. Finding a backdoored version that both >> satisfy producing the same hash and being the same size is probably not >> impossible, but how many years would it take ? >> >> >> Now, i may be wrong. Any enlightement welcome. >> >> -- >> Guy >> _______________________________________________ >> > > Why not adopt the OpenBSD method for ports. OpenBSD supplies 3 hash/digests > for downloaded binaries and sources. Those OpenBSD guys leave nothing to > chance. > > ports/databases/postgresql] scott% cat distinfo > MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf > RMD160 (postgresql-7.3.5.tar.gz) = 83d5f713d7bfcf3ca57fb2bcc88d052982911d73 > SHA1 (postgresql-7.3.5.tar.gz) = fbdab6ce38008a0e741f8b75e3b57633a36ff5ff I would also opt for having (by default) additional hash algorithms. I would prefer using method of NetBSD: using an external program called digest ( see security/digest port) to select the algorithms. Oliver Eikemeier is working a ports building infrastructure and I think it would be a good idea to this new infrastructure would support multiple hash algorithm. The most easiest way would be to define a knob like PREFERED_HASH that would list the algorithms that system would prefer, and REQUIRED_HASH that would be required to checked: - makesum should generate all the PREFERED_HASH - fetch should fail if any of the REQUIRED_HASH failed additional bit to NetBSD digest should be extended to have SIZE "hash" - this is only for simplification of bsd.port.mk rules. Today setup would be: PREFERED_HASH= MD5 SIZE REQUIRED_HASH= MD5 SIZE (except when NO_SIZE defined) Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 08:09:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F95F16A4CE for ; Thu, 26 Aug 2004 08:09:27 +0000 (GMT) Received: from mail021.syd.optusnet.com.au (mail021.syd.optusnet.com.au [211.29.132.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C8B343D8A for ; Thu, 26 Aug 2004 08:09:26 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i7Q89CU11809; Thu, 26 Aug 2004 18:09:13 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i7Q88DxP048216; Thu, 26 Aug 2004 18:08:13 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i7Q88BZd048215; Thu, 26 Aug 2004 18:08:11 +1000 (EST) (envelope-from pjeremy) Date: Thu, 26 Aug 2004 18:08:11 +1000 From: Peter Jeremy To: Brooks Davis Message-ID: <20040826080811.GQ423@cirb503493.alcatel.com.au> References: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> <20040825201640.GB25259@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040825201640.GB25259@odin.ac.hmc.edu> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 08:09:27 -0000 On Wed, 2004-Aug-25 13:16:40 -0700, Brooks Davis wrote: >On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy@device.dyndns.org wrote: >> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also >> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see >> what made me think that). I don't believe the size adds much security. >Paranoia might suggest adding support for multiple hashes which would >vastly increase the difficulty of finding a collision I'd agree with this. Identifying suitable hashes is a more difficult task. >Hmm, one thing to think about might be making sure the various archive >formats are hard to pad with junk. I think the stream based ones need >to allow zero pading at the end to support tapes, but it would be >intresting to see if other junk can end up in pading sections without >the archiver noticing. If so, that would be a good thing to find a way >to detect. tar uses one (or two) blocks of NULs to mark logical EOF - anything beyond that is ignored. gzip ignores (but warns) about padding after its expected EOF. I'm not sure about bzip2. I suspect it would be possibly to include arbitrary padding inside a ZIP file, though probably not at the end. This would make it relatively easy to pad a trojan'd file to any desired size. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 08:37:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0797916A4CF for ; Thu, 26 Aug 2004 08:37:19 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB23D43D83 for ; Thu, 26 Aug 2004 08:37:18 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1C0Fky-000D6d-0P; Thu, 26 Aug 2004 10:37:18 +0200 Date: Thu, 26 Aug 2004 10:37:27 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Mohacsi Janos From: Oliver Eikemeier In-Reply-To: <20040826091143.S63227@mignon.ki.iif.hu> Message-Id: <293AF1C6-F73B-11D8-91E7-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-security@freebsd.org cc: Scott Gerhardt Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 08:37:19 -0000 Mohacsi Janos wrote: > [...] > I would also opt for having (by default) additional hash algorithms. I > would prefer using method of NetBSD: using an external program called > digest ( see security/digest port) to select the algorithms. Oliver > Eikemeier is working a ports building infrastructure and I think it > would be a good idea to this new infrastructure would support multiple > hash algorithm. The most easiest way would be to define a knob like > PREFERED_HASH that would list the algorithms that system would prefer, > and REQUIRED_HASH that would be required to checked: > - makesum should generate all the PREFERED_HASH > - fetch should fail if any of the REQUIRED_HASH failed devel/portmk supports generation of multiple hashes, although it will just verify the first of the sufficient ones. the problem is to test this stuff before 5.3. -Oliver From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 08:54:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D21C16A4CF for ; Thu, 26 Aug 2004 08:54:27 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-81-134.dyn.iinet.net.au [203.217.81.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93B2343D64 for ; Thu, 26 Aug 2004 08:54:19 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i7Q8rq0p015985; Thu, 26 Aug 2004 18:53:55 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Thu, 26 Aug 2004 18:53:52 +1000 (EST) From: Neo-Vortex To: Peter Jeremy In-Reply-To: <20040826080811.GQ423@cirb503493.alcatel.com.au> Message-ID: <20040826185123.F15778@Neo-Vortex.Ath.Cx> References: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> <20040825201640.GB25259@odin.ac.hmc.edu> <20040826080811.GQ423@cirb503493.alcatel.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 08:54:27 -0000 On Thu, 26 Aug 2004, Peter Jeremy wrote: > On Wed, 2004-Aug-25 13:16:40 -0700, Brooks Davis wrote: > >On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy@device.dyndns.org wrote: > >> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also > >> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see > >> what made me think that). > > I don't believe the size adds much security. it makes it harder for the person, it limits them in what they can do, it also picks up files whos download was interupted... > >Paranoia might suggest adding support for multiple hashes which would > >vastly increase the difficulty of finding a collision > > I'd agree with this. Identifying suitable hashes is a more difficult task. sha-1? rmd160? > >Hmm, one thing to think about might be making sure the various archive > >formats are hard to pad with junk. I think the stream based ones need > >to allow zero pading at the end to support tapes, but it would be > >intresting to see if other junk can end up in pading sections without > >the archiver noticing. If so, that would be a good thing to find a way > >to detect. > > tar uses one (or two) blocks of NULs to mark logical EOF - anything > beyond that is ignored. gzip ignores (but warns) about padding after > its expected EOF. I'm not sure about bzip2. I suspect it would be > possibly to include arbitrary padding inside a ZIP file, though > probably not at the end. This would make it relatively easy to pad a > trojan'd file to any desired size. here is where the size thing comes in... if they have to add padding then it makes it harder (because of warnings, etc) From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 13:36:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62FDA16A4CE for ; Thu, 26 Aug 2004 13:36:09 +0000 (GMT) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E32943D58 for ; Thu, 26 Aug 2004 13:36:09 +0000 (GMT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dirg.bris.ac.uk with esmtp (Exim 4.34) id 1C0KQ6-0005LR-PC; Thu, 26 Aug 2004 14:36:04 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.34) id 1C0KPd-0002Wu-E0; Thu, 26 Aug 2004 14:35:34 +0100 Date: Thu, 26 Aug 2004 14:35:33 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Mike Tancsa In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> Message-ID: References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: 0.0 X-Spam-Level: / cc: "Peter C. Lai" cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 13:36:09 -0000 On Wed, 18 Aug 2004, Mike Tancsa wrote: > If someone can pad an archive to come > up with the same MD5 hash, this would challenge the security of the FreeBSD > ports system no ? You are correct. However, that is not what the paper is demonstrating. It's showing how to find two separate strings that you can tack on the end of a arbitrary file (the strings are parameterised by file contents) and the resulting MD5 hashes of both new files will be the same. They will not be the same as that of the original file. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ That which does not kill us goes straight to our thighs. From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 19:53:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E2F316A4CE for ; Thu, 26 Aug 2004 19:53:40 +0000 (GMT) Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0CA043D2F for ; Thu, 26 Aug 2004 19:53:39 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.160.193.218]) by out001.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040826195339.JKAN24594.out001.verizon.net@[192.168.1.3]>; Thu, 26 Aug 2004 14:53:39 -0500 Message-ID: <412E3FBE.8080708@mac.com> Date: Thu, 26 Aug 2004 15:53:34 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <293AF1C6-F73B-11D8-91E7-00039312D914@fillmore-labs.com> In-Reply-To: <293AF1C6-F73B-11D8-91E7-00039312D914@fillmore-labs.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from [68.160.193.218] at Thu, 26 Aug 2004 14:53:39 -0500 cc: eikemeier@fillmore-labs.com Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 19:53:40 -0000 Oliver Eikemeier wrote: > Mohacsi Janos wrote: >> I would also opt for having (by default) additional hash algorithms. [ ... ] >> The most easiest way would be to define a knob like >> PREFERED_HASH that would list the algorithms that system would prefer, >> and REQUIRED_HASH that would be required to checked: >> - makesum should generate all the PREFERED_HASH >> - fetch should fail if any of the REQUIRED_HASH failed makesum ought to generate all of the available hashes, otherwise what happens if someone sets REQUIRED_HASH to a hash that wasn't PREFERED? > devel/portmk supports generation of multiple hashes, although it will > just verify the first of the sufficient ones. the problem is to test > this stuff before 5.3. I installed and activated devel/portmk on a 4.10 system. I think I found the variable to control which algorithms are used, but: 48-sec# cd /usr/ports/astro/accrete 49-sec# env VALID_ALGORITHMS='MD5 SHA1 RMD160' make makesum 50-sec# cat distinfo MD5 (accrete-1.0.tar.gz) = a8586ec1682cb9545ea380d78a8e83d1 SIZE (accrete-1.0.tar.gz) = 17212 ...? -- -Chuck PS: Can I vote for a "make distinfo" target, either as an alias of "make makesum", or as dependency between the distinfo file and the actual distribution files from /usr/ports/distfiles? From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 22:08:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E4D216A4CE for ; Thu, 26 Aug 2004 22:08:50 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66F4A43D2F for ; Thu, 26 Aug 2004 22:08:49 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1C0SQH-000Hbq-Rz; Fri, 27 Aug 2004 00:08:48 +0200 Date: Fri, 27 Aug 2004 00:08:55 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Chuck Swiger From: Oliver Eikemeier In-Reply-To: <412E3FBE.8080708@mac.com> Message-Id: <859CF6E5-F7AC-11D8-91E7-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 22:08:50 -0000 Chuck Swiger wrote: >> devel/portmk supports generation of multiple hashes, although it will >> just verify the first of the sufficient ones. the problem is to test >> this stuff before 5.3. > > I installed and activated devel/portmk on a 4.10 system. I think I > found the variable to control which algorithms are used, but: > > 48-sec# cd /usr/ports/astro/accrete > 49-sec# env VALID_ALGORITHMS='MD5 SHA1 RMD160' make makesum > 50-sec# cat distinfo > MD5 (accrete-1.0.tar.gz) = a8586ec1682cb9545ea380d78a8e83d1 > SIZE (accrete-1.0.tar.gz) = 17212 > > ...? VALID_ALGORITHMS are the accepted ones. The list of algorithms generated is DISTINFO_ALGORITHMS. -Oliver From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 00:21:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E9B116A4CE for ; Fri, 27 Aug 2004 00:21:15 +0000 (GMT) Received: from vista.netmemetic.com (bb-203-125-40-239.singnet.com.sg [203.125.40.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF98D43D54 for ; Fri, 27 Aug 2004 00:21:10 +0000 (GMT) (envelope-from ngps@netmemetic.com) Received: by vista.netmemetic.com (Postfix, from userid 100) id 803AE287; Fri, 27 Aug 2004 08:21:00 +0800 (SGT) Date: Fri, 27 Aug 2004 08:21:00 +0800 From: Ng Pheng Siong To: freebsd-security@freebsd.org Message-ID: <20040827002100.GB653@vista.netmemetic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 00:21:15 -0000 Hi, This is the first time I've come across this: pid 11415 (ipfw), uid 0: exited on signal 11 (core dumped) The core dump landed in root's home directory in one of my jails. Has anyone seen this before? Should I be concerned? chkrootkit says nothing. (How trustworthy is its output? ;-) Thanks. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 01:51:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C5EA16A4CE for ; Fri, 27 Aug 2004 01:51:58 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4E8B43D31 for ; Fri, 27 Aug 2004 01:51:57 +0000 (GMT) (envelope-from david.downey@gmail.com) Received: by mproxy.gmail.com with SMTP id 77so205608rnl for ; Thu, 26 Aug 2004 18:51:54 -0700 (PDT) Received: by 10.38.15.69 with SMTP id 69mr2235038rno; Thu, 26 Aug 2004 18:51:54 -0700 (PDT) Received: by 10.38.82.68 with HTTP; Thu, 26 Aug 2004 18:51:54 -0700 (PDT) Message-ID: <6917b781040826185127c7b744@mail.gmail.com> Date: Thu, 26 Aug 2004 21:51:54 -0400 From: "David D.W. Downey" To: Ng Pheng Siong In-Reply-To: <20040827002100.GB653@vista.netmemetic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20040827002100.GB653@vista.netmemetic.com> cc: freebsd-security@freebsd.org Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "David D.W. Downey" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 01:51:58 -0000 On Fri, 27 Aug 2004 08:21:00 +0800, Ng Pheng Siong wrote: > Hi, > > This is the first time I've come across this: > > pid 11415 (ipfw), uid 0: exited on signal 11 (core dumped) > > The core dump landed in root's home directory in one of my jails. > > Has anyone seen this before? Should I be concerned? chkrootkit says > nothing. (How trustworthy is its output? ;-) > I have on a src upgrade from 4.10-RELEASE-p2 to 5.2.1. I can give no details as to the "why". -- David D.W. Downey From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 05:49:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CE2016A4CE for ; Fri, 27 Aug 2004 05:49:13 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-81-134.dyn.iinet.net.au [203.217.81.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26B3243D5E for ; Fri, 27 Aug 2004 05:49:10 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i7R5n50p078099; Fri, 27 Aug 2004 15:49:06 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Fri, 27 Aug 2004 15:49:05 +1000 (EST) From: Neo-Vortex To: ngps@netmemetic.com In-Reply-To: <6917b781040826185127c7b744@mail.gmail.com> Message-ID: <20040827154731.G78094@Neo-Vortex.Ath.Cx> References: <20040827002100.GB653@vista.netmemetic.com> <6917b781040826185127c7b744@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 05:49:13 -0000 On Fri, 27 Aug 2004 08:21:00 +0800, Ng Pheng Siong wrote: > Hi, > > This is the first time I've come across this: > > pid 11415 (ipfw), uid 0: exited on signal 11 (core dumped) > > The core dump landed in root's home directory in one of my jails. > > Has anyone seen this before? Should I be concerned? chkrootkit says > nothing. (How trustworthy is its output? ;-) > ummm, what version/patch level of freebsd? also, what does gdb say about it? where abouts did it crash? also, what were you doing when it done it? From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 08:55:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6565116A4CE for ; Fri, 27 Aug 2004 08:55:25 +0000 (GMT) Received: from mail.rdstm.ro (mail.rdstm.ro [193.231.233.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E7CC43D39 for ; Fri, 27 Aug 2004 08:55:24 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from [10.0.0.2] (casa_auto [81.196.32.25]) by mail.rdstm.ro (8.12.10/8.12.1) with ESMTP id i7R8sffh032555 for ; Fri, 27 Aug 2004 11:54:41 +0300 Message-ID: <412EF6F7.9000900@spintech.ro> Date: Fri, 27 Aug 2004 11:55:19 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040706) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040827002100.GB653@vista.netmemetic.com> <6917b781040826185127c7b744@mail.gmail.com> <20040827154731.G78094@Neo-Vortex.Ath.Cx> In-Reply-To: <20040827154731.G78094@Neo-Vortex.Ath.Cx> X-Enigmail-Version: 0.84.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 08:55:25 -0000 Neo-Vortex wrote: > > On Fri, 27 Aug 2004 08:21:00 +0800, Ng Pheng Siong wrote: > >>Hi, >> >>This is the first time I've come across this: >> >> pid 11415 (ipfw), uid 0: exited on signal 11 (core dumped) >> >>The core dump landed in root's home directory in one of my jails. >> >>Has anyone seen this before? Should I be concerned? chkrootkit says >>nothing. (How trustworthy is its output? ;-) >> > > > ummm, what version/patch level of freebsd? also, what does gdb say about > it? > > where abouts did it crash? > > also, what were you doing when it done it? Yes, it would be nice if you could also attach the ipfw.core file. Regards, -- Alin-Adrian Anton Spintech Systems GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 10:08:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1E3616A4CE for ; Fri, 27 Aug 2004 10:08:38 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-81-134.dyn.iinet.net.au [203.217.81.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F6CE43D39 for ; Fri, 27 Aug 2004 10:08:37 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i7RA8H0p090791; Fri, 27 Aug 2004 20:08:31 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Fri, 27 Aug 2004 20:08:17 +1000 (EST) From: Neo-Vortex To: Anton Alin-Adrian In-Reply-To: <412EF6F7.9000900@spintech.ro> Message-ID: <20040827200714.C90788@Neo-Vortex.Ath.Cx> References: <20040827002100.GB653@vista.netmemetic.com> <20040827154731.G78094@Neo-Vortex.Ath.Cx> <412EF6F7.9000900@spintech.ro> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 10:08:38 -0000 On Fri, 27 Aug 2004, Anton Alin-Adrian wrote: > Yes, it would be nice if you could also attach the ipfw.core file. he he, you think hes stupid? core files can contain sensative information... also it would be pointless unless we had the exact same binary as he had with the same libraries (well, not entirely pointless, but easier for him to do it :P) From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 10:57:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7594316A4CE for ; Fri, 27 Aug 2004 10:57:52 +0000 (GMT) Received: from mail.rdstm.ro (mail.rdstm.ro [193.231.233.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6A2143D6B for ; Fri, 27 Aug 2004 10:57:51 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from [10.0.0.2] (casa_auto [81.196.32.25]) by mail.rdstm.ro (8.12.10/8.12.1) with ESMTP id i7RAv9fh013363 for ; Fri, 27 Aug 2004 13:57:09 +0300 Message-ID: <412F13AB.6050801@spintech.ro> Date: Fri, 27 Aug 2004 13:57:47 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040706) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040827002100.GB653@vista.netmemetic.com> <6917b781040826185127c7b744@mail.gmail.com> <20040827154731.G78094@Neo-Vortex.Ath.Cx> <412EF6F7.9000900@spintech.ro> <20040827200714.C90788@Neo-Vortex.Ath.Cx> In-Reply-To: <20040827200714.C90788@Neo-Vortex.Ath.Cx> X-Enigmail-Version: 0.84.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 10:57:52 -0000 Neo-Vortex wrote: > On Fri, 27 Aug 2004, Anton Alin-Adrian wrote: > > >>Yes, it would be nice if you could also attach the ipfw.core file. > > > he he, you think hes stupid? core files can contain sensative > information... also it would be pointless unless we had the exact same > binary as he had with the same libraries (well, not entirely pointless, > but easier for him to do it :P) > > No i was not thinking of anything unethical. He could have inspected the .core file before sending it. However, I doubt an ipfw core file would contain sensitive information (like passwords and etc). What could it contain, the ACL? The ACL is not secret and who cares anyway? I'm just interested in possible firewall bugs. Yours, -- Alin-Adrian Anton Spintech Systems GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 11:51:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A28616A4CE for ; Fri, 27 Aug 2004 11:51:09 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-81-134.dyn.iinet.net.au [203.217.81.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0540143D53 for ; Fri, 27 Aug 2004 11:51:08 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i7RBp40p095974; Fri, 27 Aug 2004 21:51:05 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Fri, 27 Aug 2004 21:51:04 +1000 (EST) From: Neo-Vortex To: Anton Alin-Adrian In-Reply-To: <412F13AB.6050801@spintech.ro> Message-ID: <20040827214909.K95897@Neo-Vortex.Ath.Cx> References: <20040827002100.GB653@vista.netmemetic.com> <20040827154731.G78094@Neo-Vortex.Ath.Cx> <20040827200714.C90788@Neo-Vortex.Ath.Cx> <412F13AB.6050801@spintech.ro> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 11:51:09 -0000 On Fri, 27 Aug 2004, Anton Alin-Adrian wrote: > Neo-Vortex wrote: > > On Fri, 27 Aug 2004, Anton Alin-Adrian wrote: > > > > > >>Yes, it would be nice if you could also attach the ipfw.core file. > > > > > > he he, you think hes stupid? core files can contain sensative > > information... also it would be pointless unless we had the exact same > > binary as he had with the same libraries (well, not entirely pointless, > > but easier for him to do it :P) > > > > > > No i was not thinking of anything unethical. He could have inspected the > .core file before sending it. Yes, but say he didnt... and not neccessairly you, but anyone who is subscribed to these forums... > > However, I doubt an ipfw core file would contain sensitive information > (like passwords and etc). What could it contain, the ACL? The ACL is not > secret and who cares anyway? if it is indeed backdoor'd who knows what it could be accessing at the time? > > I'm just interested in possible firewall bugs. yes, but it would be easier to get him to load up gdb and do a backtrace on it as for the whole same version of file and libraries thing... > > Yours, > -- > Alin-Adrian Anton > Spintech Systems > GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) > gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Aug 28 16:16:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAD2116A4CE for ; Sat, 28 Aug 2004 16:16:15 +0000 (GMT) Received: from vista.netmemetic.com (bb-203-125-44-190.singnet.com.sg [203.125.44.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 600BB43D64 for ; Sat, 28 Aug 2004 16:16:15 +0000 (GMT) (envelope-from ngps@netmemetic.com) Received: by vista.netmemetic.com (Postfix, from userid 100) id 863C880D; Sun, 29 Aug 2004 00:15:59 +0800 (SGT) Date: Sun, 29 Aug 2004 00:15:59 +0800 From: Ng Pheng Siong To: Andrew McNaughton Message-ID: <20040828161559.GG576@vista.netmemetic.com> References: <20040827002100.GB653@vista.netmemetic.com> <20040827181034.G6278@a2.scoop.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040827181034.G6278@a2.scoop.co.nz> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: ipfw core dump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2004 16:16:15 -0000 On Fri, Aug 27, 2004 at 06:12:28PM +1200, Andrew McNaughton wrote: > Is ipfw in your jail in sync with the kernel? It should be. Gdb'ing the core file shows a bunch of "???". Anyways, thank you and all others for your suggestions. It has happened again, and the core file registered the same time, at 3.01am. I'm conjecturing that this is caused by the periodic/security stuff in one of 500.ipfwdenied or 550.ipfwlimit. Maybe a bug in ipfw. Does this ring a bell with anyone? Thanks. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog