This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

bad md5 of setup.exe on mirrors.kernel.org


The MD5 hash of setup.exe on mirrors.kernel.org does not match the hash on
ftp.cygwin.com.

$ wget ftp://ftp.cygwin.com/pub/cygwin/setup.exe
$ md5sum.exe setup.exe
b31ddcef84f25919a5d3184167b4a90d *setup.exe

$ wget http://mirrors.kernel.org/sourceware/cygwin/setup.exe
$ md5sum.exe setup.exe
fbc848393ed05ef4f51a253f75bcafeb *setup.exe

The MD5 hash in md5.sum on both servers is the same.

$ grep setup.exe md5.sum
b31ddcef84f25919a5d3184167b4a90d  setup.exe

There is only byte that's different between the two binaries, and it's at offset
0x1F4 in the file:

from ftp.cygwin.com:
000001F0   32 2E 30 33  00 55 50 58  21 0D 09 08  07 CF A8 F5  2.03.UPX!.......

from mirrors.kernel.org:
000001F0   32 2E 30 32  00 55 50 58  21 0D 09 08  07 CF A8 F5  2.02.UPX!.......

This looks like a version string of the UPX packer used to produce the executable.

It looks like this is a result of some kind of error and not a malicious
tampering, but it's worrisome that the mirrors have gotten out of sync and
nobody noticed.

By the way, MD5 is broken, you should switch to SHA1 or GPG signatures.
http://www.mathstat.dal.ca/~selinger/md5collision/

Alex

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]