[Secure-testing-team] Bug#555668: elfsign uses MD5
phcoder
phcoder at gmail.com
Tue Nov 10 23:00:51 UTC 2009
Package: elfsign
Version: 0.2.2-2
Severity: grave
Tags: security
Justification: user security hole
ELF sign uses MD5 which is vulnerable to collision attack. An attacker could prepare 2 ELF files: one legitimate and one malicious having same MD5, then submit legitimate one for signing and then transfer signature to malicious file. Also possible however more difficult to mount against source code. Note: Debian itself doesn't use ELF signatures
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages elfsign depends on:
ii libc6 2.10.1-6 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8k-5 SSL shared libraries
elfsign recommends no packages.
elfsign suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list