LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SquirrelMail 1.4.13 released - older versions compromised

SquirrelMail 1.4.13 released - older versions compromised

Posted Dec 17, 2007 17:14 UTC (Mon) by wahern (subscriber, #37304)
In reply to: SquirrelMail 1.4.13 released - older versions compromised by tetromino
Parent article: SquirrelMail 1.4.13 released - older versions compromised 

The constraint that it must  "look reasonable to a casual human inspector" doesn't make sense.
The point of the checksum is that you can download the source code and trust it WITHOUT having
to inspect it. Indeed, the point of the checksum is that you trust the maintainers, and the
checksum serves to link that trust with the tarball, with the presumption that the source code
as last checked by the maintainers was what they checksummed.

Also, we're dealing with tar+gzip+PHP code. Certainly it would be completely trivial to append
arbitrary binary data to the tar file which may or may not (depending on the tar
implementation) give a warning when unpacking. I'm not even going to bother analyzing this,
because its pointless; an attacker need only find one avenue which meets his criteria.

As for file size. This may or may not pose a problem. Certainly from a practical standpoint I
doubt it. This is a relatively huge tarball. The requisite additional data is at most 512
bits, IIRC--the internal block size of MD5--maybe less. People who manually download the
tarball--and bother to check the hash--will also likely ignore the file size, and rightly so.
Any secure cryptographic algorithm isn't sensitive to the input size; if it is, its not
secure, by definition. 

I'm not familiar enough with the weakness of MD5 to judge the complexity of an attack which
doesn't just use a suffix. It may be simply slightly marginally more difficult to find a
collision if you modify the tail instead of appending; I dunno.

Point is, the MD5 checksum is useless, because you cannot trust it anymore.

(Log in to post comments)

Point is - you know nothing about cryptograpy, right ?

Posted Dec 17, 2007 22:46 UTC (Mon) by khim (subscriber, #9252) [Link]

I'm not familiar enough with the weakness of MD5 to judge the complexity of an attack which doesn't just use a suffix. It may be simply slightly marginally more difficult to find a collision if you modify the tail instead of appending; I dunno.

It's quite easy to find a collision if you can just modify something in the middle of file (like piece of documentation noone cares about or just some picture). But all such attacks will only work if "black hat" can alter the tarball after it's created and official signature is created. If "black hat" can alter your tarball at this stage then you have a lot of much bigger problems then just MD5 collision: he or she can just add backdoor directly to source, create tarball and sign it - why bother with MD5 collisions at all ?

Point is - you know nothing about cryptograpy, right ?

Posted Dec 18, 2007 6:33 UTC (Tue) by njs (guest, #40338) [Link] 

>if "black hat" can alter the tarball after it's created and official signature is created.

I think you mean, "after [the tarball] is created *but before* the official signature is
created".  I.e., they need to perform some sort of complicated swaparoo on the people doing
the security announcement, and if you can do that, then you don't need a hash collision.
MD5's weaknesses are just completely irrelevant to this use case.

Maybe if we try another way of explaining... when people say MD5 is broken, what that means
(for now) is that I can: take that tarball from the website with hash A, and then use it to
create two new, different tarballs, that have the same hash B.  Critically, A and B will be
different (and I can't pick what B will be ahead of time).  So: there are *three* files here:
1) the original, valid tarball, which has hash A, 2) one of my "evil" "copies", which has hash
B, 3) the other one of my "evil" "copies", which also has hash B.

The result is that if you have a file with hash B, you don't know whether that's file (2) or
(3) above, but if you have a file with hash A, then you can be certain that it is file (1).
The security announcement is there to tell you what hash A is.

SquirrelMail 1.4.13 released - older versions compromised

Posted Dec 18, 2007 2:59 UTC (Tue) by tetromino (subscriber, #33846) [Link] 

> The constraint that it must  "look reasonable to a casual human inspector" doesn't make
sense.

The constraint makes sense in the specific context of a php script. Too many times, I have
been bitten by an update to a webapp that broke my customized setup. Therefore, whenever I
install an update for a webapp, I look at the diff. Now, I am not a php expert and I don't
analyze it in detail, so it's quite likely that I will miss a subtle backdoor. However, if I
see 100000 lines of garbage that were introduced just to make the md5 sums coincide, I will
become extremely suspicious. I am sure thousands of other people who perform due diligence
when installing updates will notice the same thing.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds