[email protected]
[Top] [All Lists]

Bug#555668: marked as forwarded (elfsign uses MD5)

Subject: Bug#555668: marked as forwarded elfsign uses MD5
From: Debian Bug Tracking System
Date: Sun, 15 Nov 2009 07:03:08 +0000
Your message dated Sun, 15 Nov 2009 16:47:12 +1000
with message-id <[email protected]>
has caused the   report #555668,
regarding elfsign uses MD5
to be marked as having been forwarded to the upstream software
author(s) Matt Miller <[email protected]>

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]

555668: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555668
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: Re: Bug#555668: elfsign uses MD5
From: Andrew Pollock
Date: Sun, 15 Nov 2009 16:47:12 +1000
Hi Matt,

What's the status of elfsign? It doesn't look like you've made a new release
in nearly 5 years. Are you planning on addressing the deficiencies of MD5 by
releasing a new version with SHA1 support?

Please maintain the Cc to keep our bug tracking system in the loop.



On Wed, Nov 11, 2009 at 12:00:51AM +0100, phcoder wrote:
> Package: elfsign
> Version: 0.2.2-2
> Severity: grave
> Tags: security
> Justification: user security hole
> ELF sign uses MD5 which is vulnerable to collision attack. An attacker could 
> prepare 2 ELF files: one legitimate and one malicious having same MD5, then 
> submit legitimate one for signing and then transfer signature to malicious 
> file. Also possible however more difficult to mount against source code. 
> Note: Debian itself doesn't use ELF signatures
> -- System Information:
> Debian Release: squeeze/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Versions of packages elfsign depends on:
> ii  libc6                         2.10.1-6   GNU C Library: Shared libraries
> ii  libssl0.9.8                   0.9.8k-5   SSL shared libraries
> elfsign recommends no packages.
> elfsign suggests no packages.
> -- no debconf information

--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#555668: marked as forwarded (elfsign uses MD5), Debian Bug Tracking System <=