X-Spam-Check-By: sourceware.org Message-ID: <45C1729E.60702@determina.com> Date: Wed, 31 Jan 2007 20:54:54 -0800 From: Alexander Sotirov User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: bad md5 of setup.exe on mirrors.kernel.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com The MD5 hash of setup.exe on mirrors.kernel.org does not match the hash on ftp.cygwin.com. $ wget ftp://ftp.cygwin.com/pub/cygwin/setup.exe $ md5sum.exe setup.exe b31ddcef84f25919a5d3184167b4a90d *setup.exe $ wget http://mirrors.kernel.org/sourceware/cygwin/setup.exe $ md5sum.exe setup.exe fbc848393ed05ef4f51a253f75bcafeb *setup.exe The MD5 hash in md5.sum on both servers is the same. $ grep setup.exe md5.sum b31ddcef84f25919a5d3184167b4a90d setup.exe There is only byte that's different between the two binaries, and it's at offset 0x1F4 in the file: from ftp.cygwin.com: 000001F0 32 2E 30 33 00 55 50 58 21 0D 09 08 07 CF A8 F5 2.03.UPX!....... from mirrors.kernel.org: 000001F0 32 2E 30 32 00 55 50 58 21 0D 09 08 07 CF A8 F5 2.02.UPX!....... This looks like a version string of the UPX packer used to produce the executable. It looks like this is a result of some kind of error and not a malicious tampering, but it's worrisome that the mirrors have gotten out of sync and nobody noticed. By the way, MD5 is broken, you should switch to SHA1 or GPG signatures. http://www.mathstat.dal.ca/~selinger/md5collision/ Alex -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/