Package: coreutils
Version: 8.23-4
Debian Release: jessie/stable
The behavior when running "md5sum -c all.md5" with the "all.md5" file
containing the following as example:
(all.md5)
d41d8cd98f00b204e9800998ecf8427e -
results in md5sum hanging as it is waiting for stdin inside the code which
shouldn't be since a script writer using "md5sum -c" is expecting a check &
return of control.
I stumbled on that behavior unexpectedly today, and found this existing bug
and I am adding my feedback.
To give some context, the above file was generated inadvertently by a failed
"find" command which fed a null into md5sum:
(the stdin was null) find ./path -print0 | xargs -0 md5sum >
all.md5
^ find command failed, passing null to md5sum,
and thus the resulting file above
One might argue that the output of md5sum should remain as is including the
"-", however the "md5sum -c" command regardless shouldn't hang when
processing such a file.
Also, this behavior has a security implication as it could be weaponized as
a denial of service my a malicious user crafting such a file in
anticipiation of "md5sum -c" reading it.
For that reason I am proposing the following minimally-intrusive solution to
correct this behavior:
- Change the behavior of "md5sum -c" to ignore "-" file names in order not
to hang
The advantage with that solution would be:
- Less control logic will be required by script writers to ensure md5sum
doesn't hang when calling "md5sum -c"
- Removes the denial of service possibility by a malicious user crafting
such a file in anticipiation of "md5sum -c" reading it
System information:
3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 GNU/Linux
