Re: rpm --checksig Broken

Fri, 02 Aug 2002 08:29:56 -0700 


Byte 0x46 is an arbitrary byte I chose.

I thought that rpm's --checksig ran md5sum and gpg on the entire rpm file
except the embedded signatures) but that doesn't seem to be the case,
else rpm --checksig would have 'seen' the change.


 Richard
> 
> 
> > 
> > The rpm --checksig verification function appears to be broken.
> > (I am using RH 7.3 and rpm-4.0.4-7x.18)
> > I changed one byte in an rpm file using hexedit then ran rpm --checksig.
> > rpm sitll printed out: "md5 gpg OK"
> [...]
> > using hexedit I changed byte 0x46 to 0x22 (it was 0x00) in 
> > xchat-1.8.9-1.73.0.i386.rpm
> [...]
> >  rpm --checksig xchat*
> > xchat-1.8.9-1.73.0.i386.rpm: md5 gpg OK
> > xchat-1.8.9-1.73.0.i386.rpm.org: md5 gpg OK
> > 
> > WHY DIDN'T rpm --checksig INDICATE AN ERROR IN  xchat-1.8.9-1.73.0.i386.rpm ?
> 
> What is hanging out near byte 0x46 in an rpm file?  I am guessing that
> that is dead space, cruft, padding, or something else that doesn't
> matter.
> 
> I tried a similar experiment I grabed zlib-1.1.3-25.7.i386.rpm, but I
> waded further into the file until I found what looked like compressed
> binary data and I changed a byte there.  Indeed, --checksig noticed my
> change.
> 
> For another experiment I went to byte 0x515 of
> zlib-1.1.3-25.7.i386.rpm where I found some English language text and
> I changed an "e" to an "E".  Again, --checksig found the change.
> 
> Note that rpm files are not simple byte streams, there is a lot of
> structure in there.  I think that the signature is knowledgeable of
> that structure and you changed dead space that didn't participate in
> anything real.
> 
> It is similarly possible to change a bit in a database file and not
> hit anything real either.  Or change a random bit on a disk, you also
> might not hit anything real.  And in the case of the disk, a file
> compare and fsck might both see nothing changed.
> 
> 
> -kb, the Kent who also uses "rpm --checksig" on a regular basis and
> who doesn't think there is anything to worry about here.
> 
> 
> 
> 
> 



-- 
redhat-list mailing list
Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list























					Reply via email to