hello all I updated apache2 through YOU. I noticed that nearly no file has been changed except httpd2-prefork I have chrooted apache2 so every time that a apache2-patch comes to surface i check the apache2*.rpm for recent chagnes (in bytes, timestamp) and then copy it to the chrooted area. I noticed that /usr/sbin/httpd2-prefork has new timestamp (22/jul) but the same size (in bytes) with the older one. Can anyone explain to me what does this mean? How the patch has fit in that binary and the size remains the same? Thanks in advance John
John wrote:
hello all
Hi John
I noticed that /usr/sbin/httpd2-prefork has new timestamp (22/jul) but the same size (in bytes) with the older one.
AFAIK the patch was just a small one, the vulnerability is a off-by-one error in mod_ssl. What exactly has changed can be found here: http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=179781&view=diff&r1=179781&r2=179780&p1=httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c&p2=/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Can anyone explain to me what does this mean? How the patch has fit in that binary and the size remains the same?
If you want to be totally sure, if you have got the changed binary in your chroot environment calculate an md5 hash over the old and the new file, the md5sums should differ. Regards Reto
From: Reto Inversini <inversini@datacomm.ch> To: suse-security@suse.com Date: Wednesday, July 27, 2005, 11:02:54 PM Subject: [suse-security] apache2 patch Wednesday, July 27, 2005, 11:02:54 PM, you wrote:
John wrote:
hello all
Hi John
I noticed that /usr/sbin/httpd2-prefork has new timestamp (22/jul) but the same size (in bytes) with the older one.
AFAIK the patch was just a small one, the vulnerability is a off-by-one error in mod_ssl. What exactly has changed can be found here:
Can anyone explain to me what does this mean? How the patch has fit in that binary and the size remains the same?
If you want to be totally sure, if you have got the changed binary in your chroot environment calculate an md5 hash over the old and the new file, the md5sums should differ.
Regards Reto
Ok, i saw that piece of code. But how the binary be the same YOU downloaded the apache2-prefork*.rpm and apache2-*.rpm The above rpms installed at once. So the old binaries must have been overwriten but they have the same size excactly. md5sum outputs the hash of the file size I will then receive the same hash for the old and the new binary httpd2-prefork, won't i?
Hi, John schrieb:
From: Reto Inversini <inversini@datacomm.ch> To: suse-security@suse.com Date: Wednesday, July 27, 2005, 11:02:54 PM Subject: [suse-security] apache2 patch
Wednesday, July 27, 2005, 11:02:54 PM, you wrote:
John wrote:
hello all
Hi John
I noticed that /usr/sbin/httpd2-prefork has new timestamp (22/jul) but the same size (in bytes) with the older one.
AFAIK the patch was just a small one, the vulnerability is a off-by-one error in mod_ssl. What exactly has changed can be found here:
Can anyone explain to me what does this mean? How the patch has fit in that binary and the size remains the same?
If you want to be totally sure, if you have got the changed binary in your chroot environment calculate an md5 hash over the old and the new file, the md5sums should differ.
Regards Reto
Ok, i saw that piece of code. But how the binary be the same
YOU downloaded the apache2-prefork*.rpm and apache2-*.rpm
The above rpms installed at once. So the old binaries must have been overwriten but they have the same size excactly.
Can jou imagine, that an "Decrement and jump if zero" and an "Jump if zero" in assembler might be the same size. So refering to the Patch i can really imagine, that the File Size might be the same. But i guess, there would be 2 Bytes different in the Binary.
md5sum outputs the hash of the file size I will then receive the same hash for the old and the new binary httpd2-prefork, won't i?
Definitly not. Check out RFC 1321. Greetings Dirk
-- xcldsc TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: isofroni@cc.uoi.gr, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Dirk Schreiner schrieb:
"Decrement and jump if zero" and an "Jump if zero" in assembler might be the same size.
So refering to the Patch i can really imagine, that the File Size might be the same. But i guess, there would be 2 Bytes different in the Binary.
So this means a patch would be 2bytes long + adress-information? So why such big update-files? Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQuieo0Ng1DRVIGjBAQIlDgb/fYIY8/1UNxBFaumtk5U6v5adkVGAm2Pt eOF2HLE+DZoDNAcQV9zmonqdZZMgyzOBiWXrMkHT2JfLHJNu84XmUOyPTFWyuLVZ dJLbvhGmDRI2xwQSd1Gs4O0HyrlDuqPKotx2cBTl1IoUGTBcXsDK5ZsnetJYGZTF vlzoIpjCwN7WMq6PQ7MPDlry90N3/KrrLKJBZRVIgHlHUzCU6xqCyWmegdtLsmgI hSz3lVB3Y7HyEukVTqvDgY3i49e7tbPEvfliyaD565jPDyaZXfHki5Xeqgtbhann wmo0WiFjpBY= =TQX/ -----END PGP SIGNATURE-----
Hi, Philippe Vogel schrieb:
Hi!
Dirk Schreiner schrieb:
"Decrement and jump if zero" and an "Jump if zero" in assembler might be the same size.
So refering to the Patch i can really imagine, that the File Size might be the same. But i guess, there would be 2 Bytes different in the Binary.
So this means a patch would be 2bytes long + adress-information? So why such big update-files?
No it means it _could_ be. But as i do not have the both binaries handy, i really cannot tell. Big Update Files: I guess it is far more easy to deliver a new File, checkout the md5sum, as YOU is doing, and then move the File over the old File, which is as you know an atomic operation, than delivering a patch, copying the old File, editing the old File, and then checking the md5sum, and afterwards moving. But if you really want to know, you`ll have to ask the Novell Guys. Dirk
Philippe
--
Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift!
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!
-- xcldsc TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
/ 2005-07-28 11:00:19 +0200 \ Philippe Vogel:
So this means a patch would be 2bytes long + adress-information? So why such big update-files?
there are update rpms, update .patch.rpms, and update .delta.rpms. ls -l apache2-prefork-2.0.53-9* 213624 apache2-prefork-2.0.53-9.2.i586.patch.rpm 76867 apache2-prefork-2.0.53-9_9.2.i586.delta.rpm about 70k of them is rpm header payload (file list, changelog data, info etc.) so you get about 4k of actual delta payload, and the binary to be patched is about 350k. what are you talking about? cheers, Lars Ellenberg
Hi all - Interesting conversation. Is it possible to do a binary grep on the two files, and see exactly where the difference is? my 2c Keith Roberts http://www.karsites.net/ On Thu, 28 Jul 2005, Lars Ellenberg wrote:
about 70k of them is rpm header payload (file list, changelog data, info etc.) so you get about 4k of actual delta payload, and the binary to be patched is about 350k.
From: suse@karsites.net <suse@karsites.net> To: suse-security@suse.com Date: Thursday, July 28, 2005, 1:16:00 PM Subject: [suse-security] apache2 patch Thursday, July 28, 2005, 1:16:00 PM, you wrote:
Hi all - Interesting conversation.
Is it possible to do a binary grep on the two files, and see exactly where the difference is?
my 2c
Keith Roberts
On Thu, 28 Jul 2005, Lars Ellenberg wrote:
about 70k of them is rpm header payload (file list, changelog data, info etc.) so you get about 4k of actual delta payload, and the binary to be patched is about 350k.
here are my tries monster:~ # md5sum -b /chroot/usr/sbin/httpd2-prefork 759ca3e33e02b451feb7fafc2644da4b */chroot/usr/sbin/httpd2-prefork monster:~ # md5sum -b /usr/sbin/httpd2-prefork 38cd81e70e16a60474b8a2c2e2be872d */usr/sbin/httpd2-prefork monster:~ # ll /usr/sbin/httpd2-prefork -rwxr-xr-x 1 root root 440615 Jul 22 22:47 /usr/sbin/httpd2-prefork monster:~ # ll /chroot/usr/sbin/httpd2-prefork -rwxr-xr-x 1 root root 440615 Feb 27 21:18 /chroot/usr/sbin/httpd2-prefork
Hi, John schrieb:
From: suse@karsites.net <suse@karsites.net> To: suse-security@suse.com Date: Thursday, July 28, 2005, 1:16:00 PM Subject: [suse-security] apache2 patch
Thursday, July 28, 2005, 1:16:00 PM, you wrote:
Hi all - Interesting conversation.
Is it possible to do a binary grep on the two files, and see exactly where the difference is?
my 2c
Keith Roberts
On Thu, 28 Jul 2005, Lars Ellenberg wrote:
about 70k of them is rpm header payload (file list, changelog data, info etc.) so you get about 4k of actual delta payload, and the binary to be patched is about 350k.
here are my tries
monster:~ # md5sum -b /chroot/usr/sbin/httpd2-prefork 759ca3e33e02b451feb7fafc2644da4b */chroot/usr/sbin/httpd2-prefork monster:~ # md5sum -b /usr/sbin/httpd2-prefork 38cd81e70e16a60474b8a2c2e2be872d */usr/sbin/httpd2-prefork monster:~ # ll /usr/sbin/httpd2-prefork -rwxr-xr-x 1 root root 440615 Jul 22 22:47 /usr/sbin/httpd2-prefork monster:~ # ll /chroot/usr/sbin/httpd2-prefork -rwxr-xr-x 1 root root 440615 Feb 27 21:18 /chroot/usr/sbin/httpd2-prefork
http://sourceforge.net/projects/biew/ Dirk -- xcldsc TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: isofroni@cc.uoi.gr, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Ah, sorry, Dirk Schreiner schrieb:
Hi,
John schrieb:
From: suse@karsites.net <suse@karsites.net> To: suse-security@suse.com Date: Thursday, July 28, 2005, 1:16:00 PM Subject: [suse-security] apache2 patch
Thursday, July 28, 2005, 1:16:00 PM, you wrote:
Hi all - Interesting conversation.
Is it possible to do a binary grep on the two files, and see exactly where the difference is?
my 2c
Keith Roberts
On Thu, 28 Jul 2005, Lars Ellenberg wrote:
about 70k of them is rpm header payload (file list, changelog data, info etc.) so you get about 4k of actual delta payload, and the binary to be patched is about 350k.
here are my tries
monster:~ # md5sum -b /chroot/usr/sbin/httpd2-prefork 759ca3e33e02b451feb7fafc2644da4b */chroot/usr/sbin/httpd2-prefork monster:~ # md5sum -b /usr/sbin/httpd2-prefork 38cd81e70e16a60474b8a2c2e2be872d */usr/sbin/httpd2-prefork monster:~ # ll /usr/sbin/httpd2-prefork -rwxr-xr-x 1 root root 440615 Jul 22 22:47 /usr/sbin/httpd2-prefork monster:~ # ll /chroot/usr/sbin/httpd2-prefork -rwxr-xr-x 1 root root 440615 Feb 27 21:18 /chroot/usr/sbin/httpd2-prefork
This one has diff ;-) http://www.dataworkshop.de/ Dirk
Dirk
-- xcldsc TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: Dirk.Schreiner@tria.de, isofroni@cc.uoi.gr, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Is it possible to do a binary grep on the two files, and see exactly where the difference is?
--> Or use "hexedit" to create two ASCII hexdumps of the binaries and then ordinary diff to find the offset which differs. Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
/ 2005-07-28 13:04:26 +0000 \ Armin Schoech:
Is it possible to do a binary grep on the two files, and see exactly where the difference is?
--> Or use "hexedit" to create two ASCII hexdumps of the binaries and then ordinary diff to find the offset which differs.
diff -u <(hexdump -C a) <(hexdump -C b) | less ;-)
participants (7)
-
Armin Schoech -
Dirk Schreiner -
John -
Lars Ellenberg -
Philippe Vogel -
Reto Inversini -
suse@karsites.net