Gentoo Archives: gentoo-dev

From: Chris Bainbridge <chris.bainbridge@×××××.com>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2]
Date: Sun, 07 Nov 2004 12:01:40
Message-Id: 623652d5041107040116b2fdc9@mail.gmail.com
1 On Sun, 7 Nov 2004 12:51:45 +0100 (MET), Igor V. Rafienko
2 <igorr@×××××××.no> wrote:
3 > on Nov 7, 2004, 11:29, Chris Bainbridge wrote:
4 >
5 > [ ... ]
6 >
7 > | Given that MD5 collisions can be generated in 15 seconds maybe we
8 > | should use something more secure?
9 >
10 >
11 > Hmm... I have heard that MD5 is not collision-resistant[1], but I have not
12 > heard that MD5 is not preimage resistant. Why would
13 > the lack of collision-resistance be a problem in the case of gentoo
14 > package hashes?
15
16 The most likely attack is via a user submitted patch or ebuild being
17 added to the portage tree. Since the user generated the file, he can
18 also generate a corresponding exploit file with the same hash, and
19 then replace the original on the rsync mirrors.
20
21 It's an unlikely attack in practice since as already demonstrated if
22 you've compromised an rsync mirror you can already easily exploit
23 clients.
24
25 --
26 gentoo-dev@g.o mailing list

Replies

Subject Author
Re: [gentoo-dev] [Fwd: [gentoo-security] Trojan for Gentoo, part 2] Chris Gianelloni <wolf31o2@g.o>