[68957] trunk/base/ChangeLog

Wed Jun 23 18:00:55 PDT 2010

On Jun 23, 2010, at 19:21, Eric Hall wrote:

> On Wed, Jun 23, 2010 at 07:15:47PM -0500, Ryan Schmidt wrote:
> 
>> For another, I'm unsure we really need sha256 checksums in there. It's already complete overkill that we're putting three different checksums; using four verges on crazy. The only reason we put more than one checksum at all is to prevent a vulnerability in any single checksum algorithm from compromising MacPorts' integrity, but this possibility itself is already so extremely remote as to be of virtually no interest at all. Really the only purpose the checksums need to serve is to ensure the distfile the user downloaded is the same one the port maintainer tested with.
> 
> 	From what basis do you make the claim:
> 
> 		...prevent a vulnerability in any single checksum algorithm from
> 		compromising MacPorts' integrity, but this possibility itself is
> 		already so extremely remote...
> 
> 	Did you find a study on this, or do some research?

I should retract the statement that single-checksum-algorithm vulnerabilities are of "virtually no interest at all."

I had not done recent research, and I am by no means a security expert. My understanding had been that it was possible for an attacker to generate two files with different contents but the same md5 hash -- for example, a "good" program that does what the user wanted, and a "bad" program that is some kind of malware. But I thought it was not possible for an attacker to generate a new file that has the same md5 hash as some other existing file. Thus, I thought any Portfile declaring the md5 checksum of a correct distfile should never be vulnerable to an attacker uploading a compromised distfile.

I've now done some research and found this document:

http://www.mscs.dal.ca/~selinger/md5collision/

And while it still appears to be correct that you can't generate a new file with the same hash as an existing file, it would still be possible for an attacker to, say, create two new distfiles, one of which has the same contents as the original, and the other which contains malware, and which both have the same md5 hash as each other (though not the same md5 hash as the original distfile). If an attacker had managed to replace an official distfile with such a modified version, and after that, a Portfile was updated to that version and included the hashes of that modified distfile, then the attacker could later replace their good distfile with their malware distfile.

I still doubt it is possible for someone to craft two files that have not only the same md5 hash but also the same hash using some other algorithm. Thus why we suggest using more than one hash algorithm for each file in Portfile checksums.

"port lint" should probably print a warning for Portfiles that declare a checksum using only a single algorithm.