Your message dated Sun, 27 Dec 2009 09:54:50 +0000
with message-id <1261907690.901024.3605.nullmai...@kmos.homeip.net>
and subject line Package whirlpool has been removed from Debian
has caused the Debian Bug report #524698,
regarding whirlpool generates incorrect hashes for files >= 8192 bytes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
524698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524698
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: whirlpool
Version: 1-2
Severity: grave
Tags: patch
Justification: renders package unusable
The hashes generated for files >= 8 KiB (at least on my system, but
exact size might be architecture dependant) are wrong. According to
iso-test-vectors.txt from
http://www.larc.usp.br/~pbarreto/whirlpool.zip :
9. In this example the data-string is the 1000000-byte string consisting of
the ASCII-coded version of 'a' repeated 10^6 times.
The hash-code is the following 512-bit string.
0C99005BEB57EFF5 0A7CF005560DDF5D 29057FD86B20BFD6 2DECA0F1CCEA4AF5
1FC15490EDDC47AF 32BB2B66C34FF9AD 8C6008AD677F7712 6953B226E4ED8B01
whirlpooldeep from the package md5deep generates the correct hash,
whirlpool does not:
% yes '' |tr \\n a |head -c 1000000 |whirlpooldeep
0c99005beb57eff50a7cf005560ddf5d29057fd86b20bfd62deca0f1ccea4af51fc15490eddc47af32bb2b66c34ff9ad8c6008ad677f77126953b226e4ed8b01
% yes '' |tr \\n a |head -c 1000000 |whirlpool
35c6d1b288d3f92b2d626d104025b4922b6db51372329cf387c68a613d5763328c86a22980eb81d6a198b761b0dd7a5c869e8967b163a6436769817a8dc513ec
%
Files under 8 KiB in size are hashed correctly by both programs.
Unfortunately all test inputs in the whirlpool package are < 8 KiB.
The bug is in the way the lengths are added. The loop is sometimes
terminated too quickly. This fixes the problem:
--- whirlpool-1/whirlpool.c.orig 2009-04-16 00:36:12.000000000 -0700
+++ whirlpool-1/whirlpool.c 2009-04-16 00:32:38.000000000 -0700
@@ -340,7 +340,7 @@
* tally the length of the added data:
*/
u64 value = sourceBits;
- for (i = 31, carry = 0; i >= 0 && value != 0LL; i--) {
+ for (i = 31, carry = 0; i >= 0 && (value || carry); i--) {
carry += bitLength[i] + ((u32)value & 0xff);
bitLength[i] = (u8)carry;
carry >>= 8;
Whirlpool.c from whirlpool.zip also mentions this problem:
* Differences from version 2.0:
[...]
* - Bug fix: nonzero carry was ignored when tallying the data length
* (this bug apparently only manifested itself when feeding data
* in pieces rather than in a single chunk at once).
Those changes are not included in the whirlpool package.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25.4 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages whirlpool depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
whirlpool recommends no packages.
whirlpool suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1-2+rm
You filled the bug http://bugs.debian.org/524698 in Debian BTS
against the package whirlpool. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/559255. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
