oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reproducible Builds for Fedora

From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 25 Sep 2013 16:19:29 +0200
Hi

On Wed, Sep 25, 2013 at 09:59:59AM -0400, Steve Grubb wrote:

Hello,

On Wednesday, September 25, 2013 10:08:01 AM Sebastian Krahmer wrote:

I was checking the rpm-compare how it actually is doing the compre
and you have:

[...]
                base=`basename $f`
                objdump -d rpm1/$f | grep -v $base > dump1
                objdump -d rpm2/$f | grep -v $base > dump2
                diff -u dump1 dump2 > /dev/null
                if [ $? -ne 0 ] ; then
                          echo "File disassembly differs $f"
                          cnt=`expr $cnt + 1`
                fi
[...]

for ELF files and doing a sha256sum for other file types. My concern is
that attackers could construct a package that contains function-names that
match the basename of the binary that you are checking.


Thanks for the feedback. I think the 'grep -v' can be replaced with sed 
'1,2d'. Its purpose was to delete the file path that objdump inserts at the top 
which causes miscompares.


What about using NT_GNU_BUILD_ID? By reading the ld source, it looks like all
ELF sections with content are covered by the hash. Or are there any sections
you want to skip? (It'd be a more clean solution IMHO, and probably the first
real use-case for NT_GNU_BUILD_ID.)

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
Previous By Date Next
Previous By Thread Next

Current thread: