md5 mismatch - maybe security issue maybe build issue
17 views
Skip to first unread message
asac...@gmail.com
Feb 28, 2015, 11:13:03 AM2/28/15
to jac...@googlegroups.com
Hi everyone,
I just submitted https://github.com/jacoco/jacoco/issues/290. I apologize for the double posting, but since this is possibly a security issue, I thought I'd run the risk of looking foolish.
Just tried downloading the latest builds from http://www.eclemma.org/jacoco/, and as you can see, the md5 sums matche for jacoco-0.7.2.201409121644.zip (and earlier), but the last two builds md5's don't match.
> md5 jacoco-0.*
MD5 (jacoco-0.5.4.201111111111.zip) = cdc77d6308093d2bd3bf73211d017f19
MD5 (jacoco-0.5.7.201204190339.zip) = fe3859ae6f495e91c8429bbd0cd345bd
MD5 (jacoco-0.5.8.201207111220.zip) = 98378d6fdbcc4860c2ef975551a192fd
MD5 (jacoco-0.5.9.201207300726.zip) = 78f629eea851c13abc301f8b68a9ad4c
MD5 (jacoco-0.6.0.201210061924.zip) = b4cd9d8ec31b56697ab38fd4c075a20d
MD5 (jacoco-0.6.1.201212231917.zip) = 1300b8a64628e30912fc94a93f5196cd
MD5 (jacoco-0.6.2.201302030002.zip) = fd896f3ccd3a956af398055db6585ee5
MD5 (jacoco-0.6.3.201306030806.zip) = b5fd1de305dd945981a630ee42b29ca2
MD5 (jacoco-0.6.4.201312101107.zip) = 7dd7cd3d3823335893cc89f6d9373e98
MD5 (jacoco-0.6.5.201403032054.zip) = deaa9e4a4c65ae7e385c3459a050dc79
MD5 (jacoco-0.7.0.201403182114.zip) = b5a03054099301273d01e8fa0c291c58
MD5 (jacoco-0.7.1.201405082137.zip) = 14b3083ff817b82f011bceda26041551
MD5 (jacoco-0.7.2.201409121644.zip) = be263538926a32b8c6ca3e547f32a16e
MD5 (jacoco-0.7.3.201502191951.zip) = 6ebc9e2a241bb7b72c1329e2a69e552d
MD5 (jacoco-0.7.4.201502262128.zip) = ad5accd28b789e7bd5fd7dc6c1d49818
Looking into the zipfile listing, of jacoco-0.7.4.201502262128.zip I didn't see anything obviously suspicious, but since the md5s don't match I'm not prepared to actually unzip it without an isolated machine.
I wonder if the person who built these builds still have the artifacts around and could figure out if the issue is a) a big md5 sum was published, or b) the files released are not the files that were built?
Thanks,
Andrew
I just submitted https://github.com/jacoco/jacoco/issues/290. I apologize for the double posting, but since this is possibly a security issue, I thought I'd run the risk of looking foolish.
Just tried downloading the latest builds from http://www.eclemma.org/jacoco/, and as you can see, the md5 sums matche for jacoco-0.7.2.201409121644.zip (and earlier), but the last two builds md5's don't match.
> md5 jacoco-0.*
MD5 (jacoco-0.5.4.201111111111.zip) = cdc77d6308093d2bd3bf73211d017f19
MD5 (jacoco-0.5.7.201204190339.zip) = fe3859ae6f495e91c8429bbd0cd345bd
MD5 (jacoco-0.5.8.201207111220.zip) = 98378d6fdbcc4860c2ef975551a192fd
MD5 (jacoco-0.5.9.201207300726.zip) = 78f629eea851c13abc301f8b68a9ad4c
MD5 (jacoco-0.6.0.201210061924.zip) = b4cd9d8ec31b56697ab38fd4c075a20d
MD5 (jacoco-0.6.1.201212231917.zip) = 1300b8a64628e30912fc94a93f5196cd
MD5 (jacoco-0.6.2.201302030002.zip) = fd896f3ccd3a956af398055db6585ee5
MD5 (jacoco-0.6.3.201306030806.zip) = b5fd1de305dd945981a630ee42b29ca2
MD5 (jacoco-0.6.4.201312101107.zip) = 7dd7cd3d3823335893cc89f6d9373e98
MD5 (jacoco-0.6.5.201403032054.zip) = deaa9e4a4c65ae7e385c3459a050dc79
MD5 (jacoco-0.7.0.201403182114.zip) = b5a03054099301273d01e8fa0c291c58
MD5 (jacoco-0.7.1.201405082137.zip) = 14b3083ff817b82f011bceda26041551
MD5 (jacoco-0.7.2.201409121644.zip) = be263538926a32b8c6ca3e547f32a16e
MD5 (jacoco-0.7.3.201502191951.zip) = 6ebc9e2a241bb7b72c1329e2a69e552d
MD5 (jacoco-0.7.4.201502262128.zip) = ad5accd28b789e7bd5fd7dc6c1d49818
Looking into the zipfile listing, of jacoco-0.7.4.201502262128.zip I didn't see anything obviously suspicious, but since the md5s don't match I'm not prepared to actually unzip it without an isolated machine.
I wonder if the person who built these builds still have the artifacts around and could figure out if the issue is a) a big md5 sum was published, or b) the files released are not the files that were built?
Thanks,
Andrew
asac...@gmail.com
Mar 2, 2015, 11:54:19 AM3/2/15
to jac...@googlegroups.com, asac...@gmail.com
Thanks to godin@, the md5s have been corrected!
Security question resolved - it wasn't a security problem.
Thanks,
Andrew
Security question resolved - it wasn't a security problem.
Thanks,
Andrew
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages