Date: Thu, 26 Aug 2004 18:53:52 +1000 (EST) From: Neo-Vortex <root@Neo-Vortex.Ath.Cx> To: Peter Jeremy <PeterJeremy@optushome.com.au> Cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 Message-ID: <20040826185123.F15778@Neo-Vortex.Ath.Cx> In-Reply-To: <20040826080811.GQ423@cirb503493.alcatel.com.au> References: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> <20040825201640.GB25259@odin.ac.hmc.edu> <20040826080811.GQ423@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Aug 2004, Peter Jeremy wrote: > On Wed, 2004-Aug-25 13:16:40 -0700, Brooks Davis wrote: > >On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy@device.dyndns.org wrote: > >> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also > >> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see > >> what made me think that). > > I don't believe the size adds much security. it makes it harder for the person, it limits them in what they can do, it also picks up files whos download was interupted... > >Paranoia might suggest adding support for multiple hashes which would > >vastly increase the difficulty of finding a collision > > I'd agree with this. Identifying suitable hashes is a more difficult task. sha-1? rmd160? > >Hmm, one thing to think about might be making sure the various archive > >formats are hard to pad with junk. I think the stream based ones need > >to allow zero pading at the end to support tapes, but it would be > >intresting to see if other junk can end up in pading sections without > >the archiver noticing. If so, that would be a good thing to find a way > >to detect. > > tar uses one (or two) blocks of NULs to mark logical EOF - anything > beyond that is ignored. gzip ignores (but warns) about padding after > its expected EOF. I'm not sure about bzip2. I suspect it would be > possibly to include arbitrary padding inside a ZIP file, though > probably not at the end. This would make it relatively easy to pad a > trojan'd file to any desired size. here is where the size thing comes in... if they have to add padding then it makes it harder (because of warnings, etc)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040826185123.F15778>