Bug#632280: fails to verify checksums computed by the rhash program itself

tuberoot Fri, 01 Jul 2011 00:15:19 -0700

Package: rhash
Version: 1.2.6-1
Severity: serious


This is a user program bug with possibly serious security implications,
as any script that relies on rhash for determining file integrity
will be affected.

Quite simply, rhash fails to verify a number of hash sum types it
itself produced.

This can easily be seen in the following shell session, which can
easily be reproduced on any system:

# Begin shell session output 
$ echo "Hello, world" > hello.txt
$ rhash --sha512 hello.txt > hello.sha512
$ sha512sum -c hello.sha512
hello.txt: OK
$ rhash -c hello.sha512

--( Verifying hello.sha512
)----------------------------------------------------
hello.txt                                           ERR
--------------------------------------------------------------------------------
Errors Occurred: Errors:1   Miss:0   Success:0   Total:1  
$ rhash --sha256 hello.txt > hello.sha256
$ sha256sum -c hello.sha256
hello.txt: OK
$ rhash -c hello.sha256

--( Verifying hello.sha256
)----------------------------------------------------
hello.txt                                           ERR
--------------------------------------------------------------------------------
Errors Occurred: Errors:1   Miss:0   Success:0   Total:1  
$ rhash --sha1 hello.txt > hello.sha1
$ sha1sum -c hello.sha1 
hello.txt: OK
$ rhash -c hello.sha1 

--( Verifying hello.sha1
)------------------------------------------------------
hello.txt                                           OK 
--------------------------------------------------------------------------------
Everything OK
# End shell session output

As can be seen from the above example, rhash fails to verify the
integrity
("rhash -c hello.sha512") of the hash sum ("hello.sha512") it printed
for
the file "hello.txt" ("rhash --sha512 hello.txt > hello.sha512"). This
is
despite the GNU hash utilities ("coreutils" package) verifying the
same file ("sha512sum -c hello.sha512"). The file also passes the checks
performed by other hash utilities, including those from the "md5deep",
"cfv" and "busybox" ("busybox sha512sum -c hello.sha512") packages.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (900, 'testing'), (90, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_SG.UTF-8, LC_CTYPE=en_SG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rhash depends on:
ii  libc6                         2.13-7     Embedded GNU C Library:
Shared lib

Versions of packages rhash recommends:
pn  libssl                        <none>     (no description available)

rhash suggests no packages.

-- no debconf information

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#632280: fails to verify checksums computed by the rhash program itself

Reply via email to