I wonder if this bug can be downgraded (or marked squeeze-ignore).
The weaknesses of MD5 are well-known, and support for it should be
deprecated, but I don't think that needs to be done for squeeze.
Post-squeeze, the solution should fail for md5 signatures by default.
It should require an explicit
Hi Andrew,
Am Sunday 07 March 2010 18:47:29 schrieb Andrew Pollock:
[..]
> Hi Stefan,
>
> I'd missed the fact that you'd done this until now. Thanks!
>
> It looks anatomically correct, but makes it impossible to check existing
> signed binaries that have MD5 checksums. It's a good start though, an
On Sun, Jan 24, 2010 at 12:25:12PM +0100, Stefan Potyra wrote:
> Hi,
>
> here's my 5 minute try of converting elfsign to use sha1. It builds fine, but
> I must admit that I have no clue how to test it. Maybe it helps
> nonetheless...
>
Hi Stefan,
I'd missed the fact that you'd done this until
Hi,
here's my 5 minute try of converting elfsign to use sha1. It builds fine, but
I must admit that I have no clue how to test it. Maybe it helps
nonetheless...
Cheers,
Stefan.
--- elfsign-0.2.2.orig/lib/verify.c
+++ elfsign-0.2.2/lib/verify.c
@@ -10,7 +10,7 @@
#include "openssl/objects.
Package: elfsign
Version: 0.2.2-2
Severity: grave
Tags: security
Justification: user security hole
ELF sign uses MD5 which is vulnerable to collision attack. An attacker could
prepare 2 ELF files: one legitimate and one malicious having same MD5, then
submit legitimate one for signing and then t
5 matches
Mail list logo
