Skip Menu |

This queue is for tickets about the Hash-MD5 CPAN distribution.

Report information
The Basics
Id: 101585
Status: resolved
Priority: 0/
Queue: Hash-MD5
People
Owner: MZIESCHA [...] cpan.org
Requestors: SREZIC [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in:
  • 0.03
  • 0.04
Fixed in: 0.05

History Show all quoted text
  Sat Jan 17 03:00:31 2015 SREZIC [...] cpan.org - Ticket created
Subject: Digest collision possible
It's quite easy to construct two different arrays or hashes which have the same fingerprint. For example: $ perl -MHash::MD5=sum_array -MTest::More=no_plan -e 'isnt sum_array([1,2]), sum_array([q{1","2}])' not ok 1 # Failed test at -e line 1. # got: '9539d9b288df67c71407a1701e2b99d6' # expected: anything else 1..1 # Looks like you failed 1 test of 1.
  Sat Jan 17 12:55:35 2015 MZIESCHA [...] cpan.org - Correspondence added
Am Sa 17. Jan 2015, 03:00:31, SREZIC schrieb: Show quoted text
> It's quite easy to construct two different arrays or hashes which have > the same fingerprint. For example: > > $ perl -MHash::MD5=sum_array -MTest::More=no_plan -e 'isnt > sum_array([1,2]), sum_array([q{1","2}])' > not ok 1 > # Failed test at -e line 1. > # got: '9539d9b288df67c71407a1701e2b99d6' > # expected: anything else > 1..1 > # Looks like you failed 1 test of 1.
Thank you for your test. I've just forgot this case. In version 0.04 it's fixed.
  Sat Jan 17 12:55:35 2015 The RT System itself - Status changed from 'new' to 'open'
  Sat Jan 17 17:05:46 2015 MZIESCHA [...] cpan.org - Taken
  Sat Jan 17 17:53:16 2015 MZIESCHA [...] cpan.org - Correspondence added
- arrayref and hashref got an extra element with the number of counted elements (special thanks to SREZIC)
  Sat Jan 17 17:53:27 2015 MZIESCHA [...] cpan.org - Status changed from 'open' to 'resolved'
  Sun Jan 18 11:47:24 2015 SREZIC [...] cpan.org - Correspondence added
On 2015-01-17 17:53:16, MZIESCHA wrote: Show quoted text
> - arrayref and hashref got an extra element with the number of counted > elements > (special thanks to SREZIC)
Still with 0.04 it's easily possible to create collisions: $ perl5.18.4 -MHash::MD5=sum_array -MTest::More=no_plan -e 'isnt sum_array([q{1","2}, 3]), sum_array([1,q{2","3}])' not ok 1 # Failed test at -e line 1. # got: 'd74f2382924cbf78eb5e5d0ae2c2060c' # expected: anything else 1..1 # Looks like you failed 1 test of 1. I think it's much easier if you use a perfect canonical serialization here. Something like md5_hex(encode_json($data_structure)) or any other serialization algorithm (Data::Dumper, Storable ...), but make sure that the canonical flag in these modules is set.
  Sun Jan 18 11:47:25 2015 SREZIC [...] cpan.org - Status changed from 'resolved' to 'open'
  Mon Jan 19 12:56:10 2015 MZIESCHA [...] cpan.org - Status changed from 'open' to 'resolved'
  Tue Jan 20 01:40:37 2015 SREZIC [...] cpan.org - Status changed from 'resolved' to 'open'
  Tue Jan 20 01:40:38 2015 SREZIC [...] cpan.org - Broken in 0.04 added
  Wed Feb 11 07:28:07 2015 MZIESCHA [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Feb 11 07:28:08 2015 MZIESCHA [...] cpan.org - Fixed in 0.05 added