Package: elfsign Version: 0.2.2-2 Severity: grave Tags: security Justification: user security hole
ELF sign uses MD5 which is vulnerable to collision attack. An attacker could prepare 2 ELF files: one legitimate and one malicious having same MD5, then submit legitimate one for signing and then transfer signature to malicious file. Also possible however more difficult to mount against source code. Note: Debian itself doesn't use ELF signatures -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages elfsign depends on: ii libc6 2.10.1-6 GNU C Library: Shared libraries ii libssl0.9.8 0.9.8k-5 SSL shared libraries elfsign recommends no packages. elfsign suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
