From owner-freebsd-security@FreeBSD.ORG Thu Aug 26 08:09:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F95F16A4CE for ; Thu, 26 Aug 2004 08:09:27 +0000 (GMT) Received: from mail021.syd.optusnet.com.au (mail021.syd.optusnet.com.au [211.29.132.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C8B343D8A for ; Thu, 26 Aug 2004 08:09:26 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i7Q89CU11809; Thu, 26 Aug 2004 18:09:13 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i7Q88DxP048216; Thu, 26 Aug 2004 18:08:13 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i7Q88BZd048215; Thu, 26 Aug 2004 18:08:11 +1000 (EST) (envelope-from pjeremy) Date: Thu, 26 Aug 2004 18:08:11 +1000 From: Peter Jeremy To: Brooks Davis Message-ID: <20040826080811.GQ423@cirb503493.alcatel.com.au> References: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> <20040825201640.GB25259@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040825201640.GB25259@odin.ac.hmc.edu> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 08:09:27 -0000 On Wed, 2004-Aug-25 13:16:40 -0700, Brooks Davis wrote: >On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy@device.dyndns.org wrote: >> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also >> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see >> what made me think that). I don't believe the size adds much security. >Paranoia might suggest adding support for multiple hashes which would >vastly increase the difficulty of finding a collision I'd agree with this. Identifying suitable hashes is a more difficult task. >Hmm, one thing to think about might be making sure the various archive >formats are hard to pad with junk. I think the stream based ones need >to allow zero pading at the end to support tapes, but it would be >intresting to see if other junk can end up in pading sections without >the archiver noticing. If so, that would be a good thing to find a way >to detect. tar uses one (or two) blocks of NULs to mark logical EOF - anything beyond that is ignored. gzip ignores (but warns) about padding after its expected EOF. I'm not sure about bzip2. I suspect it would be possibly to include arbitrary padding inside a ZIP file, though probably not at the end. This would make it relatively easy to pad a trojan'd file to any desired size. -- Peter Jeremy