Package: whirlpool Version: 1-2 Severity: grave Tags: patch Justification: renders package unusable
The hashes generated for files >= 8 KiB (at least on my system, but exact size might be architecture dependant) are wrong. According to iso-test-vectors.txt from http://www.larc.usp.br/~pbarreto/whirlpool.zip : 9. In this example the data-string is the 1000000-byte string consisting of the ASCII-coded version of 'a' repeated 10^6 times. The hash-code is the following 512-bit string. 0C99005BEB57EFF5 0A7CF005560DDF5D 29057FD86B20BFD6 2DECA0F1CCEA4AF5 1FC15490EDDC47AF 32BB2B66C34FF9AD 8C6008AD677F7712 6953B226E4ED8B01 whirlpooldeep from the package md5deep generates the correct hash, whirlpool does not: % yes '' |tr \\n a |head -c 1000000 |whirlpooldeep 0c99005beb57eff50a7cf005560ddf5d29057fd86b20bfd62deca0f1ccea4af51fc15490eddc47af32bb2b66c34ff9ad8c6008ad677f77126953b226e4ed8b01 % yes '' |tr \\n a |head -c 1000000 |whirlpool 35c6d1b288d3f92b2d626d104025b4922b6db51372329cf387c68a613d5763328c86a22980eb81d6a198b761b0dd7a5c869e8967b163a6436769817a8dc513ec % Files under 8 KiB in size are hashed correctly by both programs. Unfortunately all test inputs in the whirlpool package are < 8 KiB. The bug is in the way the lengths are added. The loop is sometimes terminated too quickly. This fixes the problem: --- whirlpool-1/whirlpool.c.orig 2009-04-16 00:36:12.000000000 -0700 +++ whirlpool-1/whirlpool.c 2009-04-16 00:32:38.000000000 -0700 @@ -340,7 +340,7 @@ * tally the length of the added data: */ u64 value = sourceBits; - for (i = 31, carry = 0; i >= 0 && value != 0LL; i--) { + for (i = 31, carry = 0; i >= 0 && (value || carry); i--) { carry += bitLength[i] + ((u32)value & 0xff); bitLength[i] = (u8)carry; carry >>= 8; Whirlpool.c from whirlpool.zip also mentions this problem: * Differences from version 2.0: [...] * - Bug fix: nonzero carry was ignored when tallying the data length * (this bug apparently only manifested itself when feeding data * in pieces rather than in a single chunk at once). Those changes are not included in the whirlpool package. -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.25.4 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages whirlpool depends on: ii libc6 2.7-16 GNU C Library: Shared libraries whirlpool recommends no packages. whirlpool suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
