Mail Archives: cygwin/2007/01/31/23:55:21

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2007/01/31/23:55:21

X-Spam-Check-By: sourceware.org

Message-ID: <45C1729E.60702@determina.com>

Date: Wed, 31 Jan 2007 20:54:54 -0800

From: Alexander Sotirov <asotirov AT determina DOT com>

User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: bad md5 of setup.exe on mirrors.kernel.org

X-IsSubscribed: yes

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

The MD5 hash of setup.exe on mirrors.kernel.org does not match the hash on
ftp.cygwin.com.

$ wget ftp://ftp.cygwin.com/pub/cygwin/setup.exe
$ md5sum.exe setup.exe
b31ddcef84f25919a5d3184167b4a90d *setup.exe

$ wget http://mirrors.kernel.org/sourceware/cygwin/setup.exe
$ md5sum.exe setup.exe
fbc848393ed05ef4f51a253f75bcafeb *setup.exe

The MD5 hash in md5.sum on both servers is the same.

$ grep setup.exe md5.sum
b31ddcef84f25919a5d3184167b4a90d  setup.exe

There is only byte that's different between the two binaries, and it's at offset
0x1F4 in the file:

from ftp.cygwin.com:
000001F0   32 2E 30 33  00 55 50 58  21 0D 09 08  07 CF A8 F5  2.03.UPX!.......

from mirrors.kernel.org:
000001F0   32 2E 30 32  00 55 50 58  21 0D 09 08  07 CF A8 F5  2.02.UPX!.......

This looks like a version string of the UPX packer used to produce the executable.

It looks like this is a result of some kind of error and not a malicious
tampering, but it's worrisome that the mirrors have gotten out of sync and
nobody noticed.

By the way, MD5 is broken, you should switch to SHA1 or GPG signatures.
http://www.mathstat.dal.ca/~selinger/md5collision/

Alex

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Spam-Check-By:	sourceware.org
Message-ID:	<45C1729E.60702@determina.com>
Date:	Wed, 31 Jan 2007 20:54:54 -0800
From:	Alexander Sotirov <asotirov AT determina DOT com>
User-Agent:	Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	bad md5 of setup.exe on mirrors.kernel.org
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com