FTP server potentially compromised #408
Comments
|
BTW I also tried to open an issue in the forum but my message is still under review. |
|
Hello! It appears that the hdf5-1.8.22.tar.bz2 file is okay. However, the checksum we provide is “md5” and not “sha256”. I used “wget” to download the checksum and bz2 files, and then compared the checksum values: wget https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.22/src/hdf5-1.8.22.tar.bz2 $ more hdf5-1.8.22.md5 $ md5sum hdf5-1.8.22.tar.bz2 -Barbara |
|
This doesn't have anything to do with the type of checksum. If the checksum changed it means the file changed, regardless of the type of hash you provide. If the md5 did not change that makes it more likely that this was a malicious attack. If the file is not intentionally changed by the hdf group I think we'll need to treat the file as compromised in homebrew. |
|
Looking back at emails to Lori for the release announcement, it was discovered on February 5 that the so numbers for the c++ libraries had not been updated, a new source release was created, and the files on the public ftp server replaced, followed by the public announcement. The release date on https://portal.hdfgroup.org/display/support/HDF5%201.8.22 should have been updated to February 5. The sha256 checksum reported for the hdf5-1.8.22.tar.bz2 file on the public ftp server matches that of the February 5 release file in our internal release directory. I will check the other files and report on all of them.
Larry
From: Sean Molenaar <[email protected]>
Sent: Tuesday, March 02, 2021 12:29 PM
To: HDFGroup/hdf5 <[email protected]>
Cc: Subscribed <[email protected]>
Subject: Re: [HDFGroup/hdf5] FTP server potentially compromised (#408)
This doesn't have anything to do with the type of checksum. If the checksum changed it means the file changed, regardless of the type of hash you provide.
If the md5 did not change that makes it more likely that this was a malicious attack.
If the file is not intentionally changed by the hdf group I think we'll need to treat the file as compromised in homebrew.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#408 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADGMWCV4IA6MK2GR6NJEWUDTBUU6HANCNFSM4YNLY6TA>.
|
Thanks. If the software was retagged that would explain the discrepancy. The git manual says re-tagging is "the insane thing" to do, so I would advise upping the version and making a bug fix a separate release next time. It would stop some people providing hdf to the public from worrying about the source. |
|
Noted.
These are the sha256 checksums for the files in our internal release directory:
4cf9139aab5d2d699b922494e01467c596443c9ef28b52def50b4a83a84c0657 CMake-hdf5-1.8.22.tar.gz
97084a5e10974531eb7c3bd0ffeb63b308353b4cbbf08d768caa36c5b975140e CMake-hdf5-1.8.22.zip
89d6fb362f1fbe8e9d8144aff6776fe8ed26804d80dc35f30b0b1f1be6e827d3 hdf5-1.8.22.tar
689b88c6a5577b05d603541ce900545779c96d62b6f83d3f23f46559b48893a4 hdf5-1.8.22.tar.bz2
8406d96d9355ef8961d2739fb8fd5474ad4cdf52f3cfac657733defd9709bfaa hdf5-1.8.22.tar.gz
8c09da46c1611b1cdbc8966e56ab651f4f9e197751d7ae8fb97450cf41e5fd66 hdf5-1.8.22.zip
They match the checksums on files downloaded from https://portal.hdfgroup.org/display/support/HDF5+1.8.22#files.
Apologies for the confusion. Thank you for your vigilance.
Larry
From: Sean Molenaar <[email protected]>
Sent: Tuesday, March 02, 2021 12:43 PM
To: HDFGroup/hdf5 <[email protected]>
Cc: Larry Knox <[email protected]>; Comment <[email protected]>
Subject: Re: [HDFGroup/hdf5] FTP server potentially compromised (#408)
Looking back at emails to Lori for the release announcement, it was discovered on February 5 that the so numbers for the c++ libraries had not been updated, a new source release was created, and the files on the public ftp server replaced, followed by the public announcement. The release date on https://portal.hdfgroup.org/display/support/HDF5%201.8.22 should have been updated to February 5. The sha256 checksum reported for the hdf5-1.8.22.tar.bz2 file on the public ftp server matches that of the February 5 release file in our internal release directory. I will check the other files and report on all of them.
Thanks. If the software was retagged that would explain the discrepancy.
The git manual<https://git-scm.com/docs/git-tag#_on_re_tagging> says re-tagging is "the insane thing" to do, so I would advise upping the version and making a bug fix a separate release next time. It would stop some people providing hdf to the public from worrying about the source.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#408 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADGMWCQQWDKIFS3S4H2C6DLTBUWRXANCNFSM4YNLY6TA>.
|
|
Thanks! |
Hi. Homebrew maintainer here.
When 1.8.22 was initially released, the https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.22/src/hdf5-1.8.22.tar.bz2 file had a sha256 of: 0ac77e1c22bce5bbbdb337bd7f97aeb5ef43c727a84ccb6d683d092eb57ebd8e
The file's sha256 is now 689b88c6a5577b05d603541ce900545779c96d62b6f83d3f23f46559b48893a4.
This means that the initial file on you FTP was replaced. I doubt this expected?
Originally posted by @iMichka in #279 (comment)
The text was updated successfully, but these errors were encountered: