From owner-freebsd-security@FreeBSD.ORG Wed Aug 25 22:08:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7836B16A4CE for ; Wed, 25 Aug 2004 22:08:16 +0000 (GMT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2644143D49 for ; Wed, 25 Aug 2004 22:08:14 +0000 (GMT) (envelope-from scott@g-it.ca) Received: from [70.64.67.67] (S0106000393801c60.ss.shawcable.net [70.64.67.67]) by blue.gerhardt-it.com (Postfix) with ESMTP id DFD66FDC0; Wed, 25 Aug 2004 16:08:12 -0600 (CST) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <40BEB77B-F6E3-11D8-B9B9-000393801C60@g-it.ca> Content-Transfer-Encoding: 7bit From: Scott Gerhardt Date: Wed, 25 Aug 2004 16:08:11 -0600 To: guy@device.dyndns.org X-Mailer: Apple Mail (2.619) cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 22:08:16 -0000 > > On 18-Aug-2004 Mike Tancsa wrote: >> As I have no crypto background to evaluate some of the (potentially >> wild >> and erroneous) claims being made in the popular press* (eg >> http://news.com.com/2100-1002_3-5313655.html see quote below), one >> thing >> that comes to mind is the safety of ports. If someone can pad an >> archive >> to come up with the same MD5 hash, this would challenge the security >> of >> the FreeBSD ports system no ? > > I _believe_ answer is "no", because i _think_ the FreeBSD ports system > also > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to > see > what made me think that). > > Padding would modify archive size. Finding a backdoored version that > both > satisfy producing the same hash and being the same size is probably not > impossible, but how many years would it take ? > > > Now, i may be wrong. Any enlightement welcome. > > -- > Guy > _______________________________________________ > Why not adopt the OpenBSD method for ports. OpenBSD supplies 3 hash/digests for downloaded binaries and sources. Those OpenBSD guys leave nothing to chance. ports/databases/postgresql] scott% cat distinfo MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf RMD160 (postgresql-7.3.5.tar.gz) = 83d5f713d7bfcf3ca57fb2bcc88d052982911d73 SHA1 (postgresql-7.3.5.tar.gz) = fbdab6ce38008a0e741f8b75e3b57633a36ff5ff Thanks, -- Scott A. Gerhardt, P.Geo. Gerhardt Information Technologies