On Wed, Jun 13, 2007 at 11:14:15PM +0200, Steffen Schulz wrote:
On 070613 at 10:43, Florian Weimer wrote:
> AND the fact that it needs to be a valid .deb archive, they are
> probably more than strong enough.
This is actually not much of a problem:
http://www.cits.rub.de/MD5Collisions/
One example how to create two files with same hash that act
differently. Should work with most active content.
Cool. So the security team can rig an executable that can be modified
and still have the same md5.
With the above results, it would be possible to officially distribute
nice behaving software but present specific targets with modified
packages that do evil.
Yup. Or the security team could just plant a regular backdoor, and not
worry about the md5 hash. A sha hash isn't going to change that at all.
If you don't trust the security team, you probably shouldn't install
security updates.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
