* David Kalnischkies <da...@kalnischkies.de>, 2014-06-18, 14:11:
[0] And his skepticism was reinforced by (independent) discovery of
this bug: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098738
*sigh*.... and this is still open? 8-O
Before someone is rushing to work on that (sorry, I was dreaming)… we
actually have a rework for hashsum handling in libapt in our
debian/experimental branch which as a minor sideeffect also solves this
one. Required quiet some amount of work, multiple api breaks still and
uhm… testing… but that is overrated. Someone checking this out would
still be welcomed…
I've been using 1.1 for a while, and I'm happy to confirm that I can no
longer reproduce LP#1098738.
I mean MD5 is _really_ broken now... actually I think any secure APT
If you happen to have a same-size preimage attack on MD5 I would be
interested to hear about it.
Preimage attack would be the only one to worry about if we were
regenerating all the tarballs ourselves. But this is not the case.
My upstream[0] has just released a new version of his software.
I compared contents of the new tarball with with old one. The diff
looked reasonable (modulo a new tiny security hole: #760455), and I
found nothing suspicious inside. So I'm going to upload this package to
Debian soon.
But maybe this .orig.tar.gz wasn't crafted so that it has an evil twin,
with the same MD5 sum, but with completely different contents when
unpacked. How could I know?
[0] Well, it was either him, or whoever hacked into the FTP server, or
the man in the middle between me and the server. The tarball wasn't
signed, and it was downloaded over HTTP, so you may never know.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140913162408.ga6...@jwilk.net
