cisagov/CSAF

Wrong SHA512 signature for 7 files

Closed this issue ยท 1 comments

๐Ÿ› Summary

At least 7 files has the wrong hash proof.

To reproduce

  1. run git pull
  2. compute sha512 on each ICSA and ICSMA
  3. compare each with content of <filename>.sha512

Expected behavior

Computed hash for each file is supposed to be the same result in <filename>.sha512.

Any helpful log output or screenshots

Here is the python3 script to compute SHA512:

import glob
import hashlib
import sys

if len(sys.argv) != 2:
    print("./check-hash.py directory")
    sys.exit(1)

for file in glob.glob(f"{sys.argv[1]}/**/*.json", recursive=True):
    if "cisa-csaf-ot-feed-tlp-white" in file:
        # don't need this file
        continue

    with open(file, "rb") as fptr:
        hashobj = hashlib.file_digest(fptr, "sha512")
        hash = hashobj.hexdigest()

        # check with <filename>.sha512 proof provided
        with open(f"{file}.sha512", "r") as fptr:
            # format: <hash>     <filename>
            proof = fptr.read().split(" ")[0].strip()

            if proof != hash:
                print(f"wrong SHA512 proof: {file}")
                print(f"compute: {hash}")
                print(f"proof  : {proof}\n")

Results:

wrong SHA512 proof: CSAF/csaf_files/OT/white/2021/icsma-21-187-01.json
compute: 936566411e4c5f6c7382e9a658a39196cb46144479dcb7defc27fbf44ef36c3134324df0081dbddbda132d741b1730a8d4c9998d0282ee64cbb705bd89cdfa05
proof  : 9d49755f5c7784747045dac7c450eb8468aa51d39487bea3d9462fc83bb5f89f892ef27b5c6826c0073f2473d24c3e6cd263930af2d44865a99b45f6d61529e1

wrong SHA512 proof: CSAF/csaf_files/OT/white/2021/icsa-21-336-05.json
compute: 108f107d274a0688b7900e5be9f773951a59cc9a9ccc401abfb248cad1f0c8fd5415281c4715e37eb2cf7c1e12fe1f56ccf0ce7108844f17dc0bcce3969e4b46
proof  : 3ec9907c434cebf7bc72e1bb40cb934f8b4e756ba8375bf5a827495f39968237be8941859dd1c588571c7a0d21b55f93e44e7d2b7ca876793d949cf82963e24a

wrong SHA512 proof: CSAF/csaf_files/OT/white/2021/icsa-21-061-03.json
compute: 989c35522ad168e2aba01cc398d80e9bd97bbd052bb38cc3186ed6f7087ed5c97095218ffb7a594737920269ade98f1f9013e1c45a3bb45b91de8a3f54610899
proof  : 9636a3d0da4f8367161c2c823edde210f0aebd35e51816ca96b248eb8ba78d562e95ceca96e469beaec5c7d31dcfb3d167532fdf3ea622176658edf8cfa237d8

wrong SHA512 proof: CSAF/csaf_files/OT/white/2022/icsa-22-132-06.json
compute: 2001077a07cd6c9fe949365a3bd860ca61c9cee91390b36b027b88b538ead09c832c6e9e45c2fcd6d0191d1947bc131d5954ee9a53307dfbddbbb09677603e35
proof  : cfa757be01352e3591e354909f2b96e10d52e058824eaf357904f82b6fb9eedb3849e5eb79bf156a48c9210d14956736633ea63361da685065bc7d32ef1c3112

wrong SHA512 proof: CSAF/csaf_files/OT/white/2024/icsa-24-074-07.json
compute: 33eebb5fe2ae741c11c05583ddcab9be2e1d72b493e2831631cca226ae6c12356f8f6f9c2742336e66a063761c5d8ace1fd00a384e812bf14bdebfe39a649eb4
proof  : 0433fc33b0087f72432f63f4cb8a83a07e36d9244eb288f9c8fdfaaa0b7d6bc14eeaca07e746a9f9488261c7f158a703773a00402451cfe710565ccc68ccd1d8

wrong SHA512 proof: CSAF/csaf_files/OT/white/2023/icsa-23-208-01.json
compute: 74873fd2370bffe27a7de6eab26b12e12b23342f9c4dabc96ad08f33adc044ae739276fd561e037836f25e3214656093f7190636c4a8602bbb427e31cadc2784
proof  : 9a3a5d4a8d185ab09ba5a126f4b2aacb0211ab7f5d8761c6cd71ec04f3dee9c74defce35d7626035db50abdd1c721b49414e8c5cac4f92cd6ae9ef8f399852ef

wrong SHA512 proof: CSAF/csaf_files/OT/white/2023/icsa-23-348-15.json
compute: 13abe3c8d96ec8774dbc54ba7c84e29de03546a1936d2c44e780a3f495d78c5beaf36788e75da10b54ecea3ce8b8fc4284b2fb476c7c3dc0418b3ff9092844c1
proof  : ba4c34025f05df1563cbe0047834c77c946beef14f326f06e5d398225a4e6db3c78c0bf3036f7893f72865f6abd4cb9175fc2d0d970592759bf41d2cb44f5510

The pull request linked above contains the fix for this issue. Thank you for bringing it to our attention. Some URLs were also fixed in the CSAFs you mentioned so you'll need to recompute the hash to check.