Issue #9617 has been updated by Dump Dump.
Thanks for looking at this issue :) I would like to point out, that while checking the file size is certainly better, it's not as much of a protection as one might think: It all depends on the file to attack. If its a binary, it might be slightly complicated. If it's a config file, most contain a lot of comments and useless config options which can be wiped and replaced by the padding, to keep the same file size. Generally, multi-hash is the safest bet (but also the slowest, which can be an issue). File size + stronger hash (as in SHA2 or similar) would actually be a good compromise. ---------------------------------------- Bug #9617: Puppet uses insecure file checksums https://projects.puppetlabs.com/issues/9617 Author: Dump Dump Status: Accepted Priority: Normal Assignee: Nigel Kersten Category: file Target version: Affected Puppet version: Keywords: md5 checksum security Branch: Puppet uses MD5 for file checksums. It is possible for an attacker to modify a file contents to it's liking, while padding for example, with a large comment, for the md5 to match the original checksum. While an administrator would suspect that after an attack, Puppet would replace all the files it's told to fix, it won't. While Puppet should not be used as a security device, it touches security. In a proper environment where attackers are sandboxed and cannot touch puppet, but can touch other files, it makes sense for puppet to be able to create secure checksums. Likewise, in an environment where you need to quickly fix a file to close a security hole, but you know some systems are compromised, this helps as you can't expect a reinstall of hundred or thousand of systems overnight. The proposal is to add SHA512 as a checksum option. See patch for a sample (it's missing tests, etc) An additional option can be to perform both md5 and sha (and/or others) checksums -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
