[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: announce-gen: Show an SHA256 sum that can be verified more easily
|
From: |
Pádraig Brady |
|
Subject: |
Re: announce-gen: Show an SHA256 sum that can be verified more easily |
|
Date: |
Mon, 2 Dec 2024 22:52:35 +0000 |
|
User-agent: |
Mozilla Thunderbird Beta |
On 02/12/2024 21:11, Jeffrey Walton wrote:
It turns out that Base64 is malleable. All tools do not produce the
same results. Also see <https://eprint.iacr.org/2022/361>.
Whether Base64 malleability leads to a vulnerability is another question.
This might be an issue for non canonicity, particularly with signed checksum
files,
but it shouldn't introduce a vulnerability.
In any case the malleability should be somewhat addressed in the GNU versions
at least with:
https://github.com/coreutils/gnulib/commit/3f463202bd
cheers,
Pádraig