#51886: nmap @7.12 Minor portfile fixes --------------------------+------------------------------ Reporter: gavin@… | Owner: opendarwin.org@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: haspatch Port: nmap | --------------------------+------------------------------ Comment (by gavin@…): Replying to [comment:4 dluke@…]:
Replying to [comment:3 gavin@…]:
Not sure what you mean regarding upstream releases but i'll take your word for it.
If upstream provides an md5 or sha1 hash, it's useful to be able to have the same hash in the portfile.
Got it.
I was just imagining a scenario where malicious code could be introduced into the source taking advantage of the known hash collisions but still making the checksum valid. I realise there's a number of very specific conditions which would also need to be setup to make the scenario actually exploitable but I just figured for a security related tool like this, if possible, it would be better than not to deprecate these HMACs.
Macports validates the distfile against all of the hashes in the portfile. For that attack to work, you'd have to generate a malicious file that collides with each hash listed (having a weak hash like md5 or sha1 doesn't stop Macports from using the sha256 checksum). Ah there be my incorrect assumption. I thought checksumming was an 'OR'. Thanks for clarifying.
-- Ticket URL: <https://trac.macports.org/ticket/51886#comment:5> MacPorts <https://www.macports.org/> Ports system for OS X