oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reproducible Builds for Fedora

From: Steve Grubb <sgrubb () redhat com>
Date: Wed, 25 Sep 2013 09:59:59 -0400
Hello,

On Wednesday, September 25, 2013 10:08:01 AM Sebastian Krahmer wrote:

I was checking the rpm-compare how it actually is doing the compre
and you have:

[...]
                base=`basename $f`
                objdump -d rpm1/$f | grep -v $base > dump1
                objdump -d rpm2/$f | grep -v $base > dump2
                diff -u dump1 dump2 > /dev/null
                if [ $? -ne 0 ] ; then
                          echo "File disassembly differs $f"
                          cnt=`expr $cnt + 1`
                fi
[...]

for ELF files and doing a sha256sum for other file types. My concern is
that attackers could construct a package that contains function-names that
match the basename of the binary that you are checking.


Thanks for the feedback. I think the 'grep -v' can be replaced with sed 
'1,2d'. Its purpose was to delete the file path that objdump inserts at the top 
which causes miscompares.

-Steve
Previous By Date Next
Previous By Thread Next

Current thread: