What does it mean when rpm fails md5 sum?
This is a discussion on What does it mean when rpm fails md5 sum? within the Linux Security forums, part of the System Security and Security Related category; I've run a few FC2 updates with yum and a package fails the md5 check but continues and installs ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-09-2004
|
|||
|
|||
What does it mean when rpm fails md5 sum?
I've run a few FC2 updates with yum and a package fails the md5 check but
continues and installs the package. Is that ok? Am I at risk when a package is installed with a failed md5 check? When possible I would not install a package that failed the check but Yum doesn't seem to care. 
|
|
09-09-2004
|
|||
|
|||
|
Re: What does it mean when rpm fails md5 sum?
Noi <noi@siam.com> banged on the keyboard until producing
news:pan.2004.09.09.17.43.12.935518@siam.com: > I've run a few FC2 updates with yum and a package fails the md5 check > but continues and installs the package. Is that ok? Am I at risk > when a package is installed with a failed md5 check? When possible I > would not install a package that failed the check but Yum doesn't seem > to care. > Two things come to mind: either the package got mangled in transit, or the rpm has been 'doctored' (i.e. something inside it has been changed - whether for good or bad). Either way, it is NOT a Good Thing (tm). I'd try re-downloading it and see if the second copy MD5s correctly. If so, re-install. If not, let the package site know and ask them to check on their end. -- * * * * * * * * * * * * * * * * * Dorsai - Author of Erotic Fiction http://www.asstr.org/~Dorsai * * * * * * * * * * * * * * * * * "Take away the right to say 'fuck' and you take away the right to say 'fuck the government.'" -- Lenny Bruce
|
|
09-09-2004
|
|||
|
|||
|
Re: What does it mean when rpm fails md5 sum?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.security Noi <noi@siam.com> suggested: > I've run a few FC2 updates with yum and a package fails the md5 check but > continues and installs the package. Is that ok? Am I at risk when a > package is installed with a failed md5 check? When possible I would not > install a package that failed the check but Yum doesn't seem to care. Show us the output from some xterm/kvt of: rpm -Kvvv filename.rpm -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQNkYAkPEju3Se5QRApG6AKCyBAJLc17YwxYaeN/NvLVw9Du9TACeJgEW nV00kvPmRLTlec+o1At4m20= =Xpqc -----END PGP SIGNATURE-----
|
|
09-11-2004
|
|||
|
|||
|
Re: What does it mean when rpm fails md5 sum?
On Thu, 09 Sep 2004 13:08:42 -0500, Dorsai thoughtfully wrote:
> Noi <noi@siam.com> banged on the keyboard until producing > news:pan.2004.09.09.17.43.12.935518@siam.com: > >> I've run a few FC2 updates with yum and a package fails the md5 check >> but continues and installs the package. Is that ok? Am I at risk >> when a package is installed with a failed md5 check? When possible I >> would not install a package that failed the check but Yum doesn't seem >> to care. >> > > Two things come to mind: either the package got mangled in transit, or > the rpm has been 'doctored' (i.e. something inside it has been changed - > whether for good or bad). Either way, it is NOT a Good Thing (tm). > > I'd try re-downloading it and see if the second copy MD5s correctly. If > so, re-install. If not, let the package site know and ask them to check > on their end. Thanks will do.
|
|
09-11-2004
|
|||
|
|||
|
Re: What does it mean when rpm fails md5 sum?
On Thu, 09 Sep 2004 22:28:41 +0000, Michael Heiming thoughtfully wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > In comp.os.linux.security Noi <noi@siam.com> suggested: >> I've run a few FC2 updates with yum and a package fails the md5 check but >> continues and installs the package. Is that ok? Am I at risk when a >> package is installed with a failed md5 check? When possible I would not >> install a package that failed the check but Yum doesn't seem to care. > > Show us the output from some xterm/kvt of: > > rpm -Kvvv filename.rpm Thanks. No output at all from that command for that package.
|
|
09-11-2004
|
|||
|
|||
|
Re: What does it mean when rpm fails md5 sum?
>>>>> "Noi" == Noi <noi@siam.com> writes:
Noi> I've run a few FC2 updates with yum and a package fails the Noi> md5 check but continues and installs the package. You shouldn't continue if the md5s are not correct. Noi> Is that ok? I don't think so. Noi> Am I at risk when a package is installed with a failed md5 Noi> check? When the md5 check fails, that means the file contents are not what the originator (the guy who signed the package) intended. If you're lucky, then maybe the file was corrupted during the downloading (e.g. file not completely downloaded). You just need to re-download the package and try again. In the worst case, an intruder has created a malicious package and made you to think that you've downloaded it from the correct website. Who know what the malicious package does!? Noi> When possible I would not install a package that failed the Noi> check You should! And it is absolutely possible. Learn to use the 'rpm' command (is your system RPM based?). Noi> but Yum doesn't seem to care. Then, that's an insecure "feature" of Yum. Complain to its authors, and demand this bug be fixed. Yum doesn't care about eating and drinking. Do YOU? And what do you do about it? Men SHOULD BE more flexible than computer programs. If Yum doesn't care about security but YOU DO, then run the rpm command YOURSELF. Or you would rather stop eating and drinking, because Yum doesn't care about these things? Why rely on broken tools or decisions made by them? -- Lee Sau Dan Íû¼éÆØ ~{@nJX6X~} E-mail: danlee@informatik.uni-freiburg.de Home page: http://www.informatik.uni-freiburg.de/~danlee
|
Linear Mode
