Package: coreutils Version: 8.23-4 Debian Release: jessie/stable The behavior when running "md5sum -c all.md5" with the "all.md5" file containing the following as example:
(all.md5) d41d8cd98f00b204e9800998ecf8427e - results in md5sum hanging as it is waiting for stdin inside the code which shouldn't be since a script writer using "md5sum -c" is expecting a check & return of control. I stumbled on that behavior unexpectedly today, and found this existing bug and I am adding my feedback. To give some context, the above file was generated inadvertently by a failed "find" command which fed a null into md5sum: (the stdin was null) find ./path -print0 | xargs -0 md5sum > all.md5 ^ find command failed, passing null to md5sum, and thus the resulting file above One might argue that the output of md5sum should remain as is including the "-", however the "md5sum -c" command regardless shouldn't hang when processing such a file. Also, this behavior has a security implication as it could be weaponized as a denial of service my a malicious user crafting such a file in anticipiation of "md5sum -c" reading it. For that reason I am proposing the following minimally-intrusive solution to correct this behavior: - Change the behavior of "md5sum -c" to ignore "-" file names in order not to hang The advantage with that solution would be: - Less control logic will be required by script writers to ensure md5sum doesn't hang when calling "md5sum -c" - Removes the denial of service possibility by a malicious user crafting such a file in anticipiation of "md5sum -c" reading it System information: 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 GNU/Linux