This is the mail archive of the
cygwin
mailing list for the Cygwin project.
bad md5 of setup.exe on mirrors.kernel.org
- From: Alexander Sotirov <asotirov at determina dot com>
- To: cygwin at cygwin dot com
- Date: Wed, 31 Jan 2007 20:54:54 -0800
- Subject: bad md5 of setup.exe on mirrors.kernel.org
The MD5 hash of setup.exe on mirrors.kernel.org does not match the hash on
ftp.cygwin.com.
$ wget ftp://ftp.cygwin.com/pub/cygwin/setup.exe
$ md5sum.exe setup.exe
b31ddcef84f25919a5d3184167b4a90d *setup.exe
$ wget http://mirrors.kernel.org/sourceware/cygwin/setup.exe
$ md5sum.exe setup.exe
fbc848393ed05ef4f51a253f75bcafeb *setup.exe
The MD5 hash in md5.sum on both servers is the same.
$ grep setup.exe md5.sum
b31ddcef84f25919a5d3184167b4a90d setup.exe
There is only byte that's different between the two binaries, and it's at offset
0x1F4 in the file:
from ftp.cygwin.com:
000001F0 32 2E 30 33 00 55 50 58 21 0D 09 08 07 CF A8 F5 2.03.UPX!.......
from mirrors.kernel.org:
000001F0 32 2E 30 32 00 55 50 58 21 0D 09 08 07 CF A8 F5 2.02.UPX!.......
This looks like a version string of the UPX packer used to produce the executable.
It looks like this is a result of some kind of error and not a malicious
tampering, but it's worrisome that the mirrors have gotten out of sync and
nobody noticed.
By the way, MD5 is broken, you should switch to SHA1 or GPG signatures.
http://www.mathstat.dal.ca/~selinger/md5collision/
Alex
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/