From owner-freebsd-security@FreeBSD.ORG  Wed Aug 25 19:51:56 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3D93E16A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 25 Aug 2004 19:51:56 +0000 (GMT)
Received: from device.dyndns.org (device.net1.nerim.net [62.212.100.233])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6777C43D4C
	for <freebsd-security@freebsd.org>;
	Wed, 25 Aug 2004 19:51:55 +0000 (GMT)
	(envelope-from guy@device.dyndns.org)
Received: (from root@localhost)
	by device.dyndns.org (8.12.11/8.12.5) id i7PJpqHV078806;
	Wed, 25 Aug 2004 21:51:52 +0200 (CEST)
	(envelope-from guy@device.dyndns.org)
Received: from pissenlit.device.local (pissenlit [10.0.0.88])
	by device.dyndns.org (8.12.11/8.12.11) with ESMTP id i7PJpo0I078794;
	Wed, 25 Aug 2004 21:51:50 +0200 (CEST)
	(envelope-from guy@device.dyndns.org)
From: guy@device.dyndns.org
Message-ID: <XFMail.20040825215150.guy@device.dyndns.org>
X-Mailer: XFMail 1.5.5 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2>
Date: Wed, 25 Aug 2004 21:51:50 +0200 (CEST)
To: Mike Tancsa <mike@sentex.net>
X-Scanned-Against-Virii: by an antivirus :]
cc: freebsd-security@freebsd.org
Subject: Re: Report of collision-generation with MD5
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2004 19:51:56 -0000


On 18-Aug-2004 Mike Tancsa wrote:
> As I have no crypto background to evaluate some of the (potentially wild 
> and erroneous) claims being made in the popular press* (eg 
> http://news.com.com/2100-1002_3-5313655.html see quote below), one thing 
> that comes to mind is the safety of ports.  If someone can pad an archive
> to come up with the same MD5 hash, this would challenge the security of
> the FreeBSD ports system no ?

I _believe_ answer is "no", because i _think_ the FreeBSD ports system also
verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see
what made me think that).

Padding would modify archive size. Finding a backdoored version that both
satisfy producing the same hash and being the same size is probably not
impossible, but how many years would it take ?


Now, i may be wrong. Any enlightement welcome.

--
        Guy