[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Sun Jan 12 01:09:45 EST 2014


I noticed that the TrueCrypt package is downloaded over an insecure FTP
connection and then only verified using MD5 hashes.

https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt

There are practical collision attacks against MD5. This means an
adversary (e.g. the NSA) can construct two versions of the truecrypt
binaries, one malicious and one not, which have the same MD5 hash. They
can silently replace the file being downloaded with the malicious
version and the change will not be detected.

This should be fixed to use SHA256 hashes, like the Firefox package:

https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox

How can I help make it use SHA256 instead of MD5? I'm relatively new to
arch, so I'm not familiar with what it takes to change something in the
repos. Any advice would be appreciated.

Are there other packages still being verified with MD5? Can we fix them
too? I'll gladly donate my time if it's not something that can be automated.

Thanks,
-- 
Taylor Hornby

p.s. This might be better suited to arch-dev-public, but I think users
should be informed of the vulnerability, so I decided on arch-general.


More information about the arch-general mailing list