Eternal 'good file hashes' list
Tomas Mraz
tmraz at redhat.com
Tue Oct 20 19:22:13 UTC 2009
On Tue, 2009-10-20 at 10:45 +0200, Ralf Ertzinger wrote:
> Hi.
>
> On Tue, 20 Oct 2009 10:20:17 +0200, Tomas Mraz wrote:
>
> > What would this be good for? Actually for some files it would be a
> > known bad file hashes because these files (binaries or scripts) would
> > contain known vulnerabilities and so knowing that you have a file
> > that was once included in Fedora does not guarantee you almost
> > anything.
>
> I'm not sure I follow you here. Containing a known vulnerability in a
> binary file has nothing to do with the hash.
I simply meant that if the attacker wanted to compromise your system he
could just revert some binary or script to a vulnerable version which
was previously included in Fedora. So having the files on your system to
match hashes from older package releases does not provide you any
security. For a real security you need to match the hashes against
current package versions.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the fedora-devel-list
mailing list