MD5 mystery

[Joern Kersten <jkersten () ph tum de>]

Hi!

I've got a pretty weird problem with the MD5 checksum of an RPM under SuSE
Linux.  Probably it's harmless, but I'd rather make sure nothing evil's
going on.

Trouble started with an online update of SuSE Linux 7.3 at the beginning
of this year.  Unfortunately, I didn't check the new packages right away
but postponed this for several months (in the meantime, I had updated to
SuSE 8.0).  When I finally got to it, an incorrect MD5 was reported for
2 packages.  A second check yielded a correct checksum for one of them,
so I didn't worry about it and deleted it (which is why I don't remember
which package it was).  Further checks of the 2nd file (yast.rpm from
the series a1) kept reporting an incorrect checksum (I didn't keep the
exact message from rpm because I considered the problem reproducible).

Now the interesting part: A few weeks later, rpm claimed MD5 and
signature to be correct!  This state lasted until two days ago, when rpm
changed its mind again and reported varying MD5's, but not the correct
one.  However, when I checked the file on different computers (two of
which I don't have any account on), everything was fine again.

Any idea what's happening here?  The security people from SuSE suggested
some hardware glitch.  Probably this is the best explanation, but in
this case it's strange that my machine has been running pretty stable.


Some more details, in case it helps:

The "positive" message from rpm (obtained with
rpm -v --checksig yast.rpm) is

yast.rpm:
MD5 sum OK: 85701784e20435d056a6762e35345bf3
gpg: Warning: using insecure memory!
gpg: Signature made Fri 14 Dec 2001 02:18:34 PM CET using DSA key ID 9C800ACA
gpg: Good signature from "SuSE Package Signing Key <build () suse de>"


The first "negative" message from two days ago was

yast.rpm:
MD5 sum mismatch
Expected: 85701784e20435d056a6762e35345bf3
Saw     : e958deded0959461a3732bb556787115
gpg: verify signatures failed: eof


Afterwards, this remained constant except that the "seen" MD5 changed
from time to time.  Some of the values were
Saw     : 5ef813755afc6e79d97af73c0273574c
Saw     : f958638c8857468f255ae725e16ee38d
Saw     : 51bb525f55b6790d29bcab6352366dcc
Saw     : 1bab0aa9aac8ee671be81b7c0654eb91
Saw     : 5680b204206c33d9825b235158ae29cc
Saw     : c31c754850a67a1218b40dbd7fe97ee5


Finally, some information from rpm -q -i -p yast.rpm:
Version: 1.13.3
Release: 0
Build Date: Fre 14 Dez 2001 14:12:43 CET
Size: 5842880
Source RPM: yast-1.13.3-0.src.rpm

Cheers,
Joern


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com