hdf5-1.8.22.tar.bz2 checksum changed

michkapopoff · March 2, 2021, 2:38pm

Hello. Homebrew maintainer here.

When 1.8.22 was initially released, the https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.22/src/hdf5-1.8.22.tar.bz2 file had a sha256 of: 0ac77e1c22bce5bbbdb337bd7f97aeb5ef43c727a84ccb6d683d092eb57ebd8e

The file’s sha256 is now 689b88c6a5577b05d603541ce900545779c96d62b6f83d3f23f46559b48893a4.

This means that the initial file on you FTP was replaced.

I did not find how to contact you about this potential security issue, I tried https://github.com/HDFGroup/hdf5/pull/279#issuecomment-787058349 but I got no answer. We are concerned that maybe something malicious happened with our FTP server.

Related issue on our side: https://github.com/Homebrew/homebrew-core/pull/72250

bljones · March 2, 2021, 3:27pm

Hello!

It appears that the hdf5-1.8.22.tar.bz2 file is okay. However, the checksum we provide is “md5” and not “sha256”. I used “wget” to download the checksum and bz2 files, and then compared the checksum values:

wget https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.22/src/hdf5-1.8.22.tar.bz2
wget https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.22/src/hdf5-1.8.22.md5

$ more hdf5-1.8.22.md5
9561ed9a0731cc980360f90f82557a99 hdf5-1.8.22.tar
972c28a7355cf94f24670307b7c0973d hdf5-1.8.22.tar.gz
0b083716131466527c2eaeb44a2a7786 hdf5-1.8.22.tar.bz2
abe247557dde4360ea55a61045ebdc28 CMake-hdf5-1.8.22.tar.gz
79e89b202b12deb4a16773bd04e78388 hdf5-1.8.22.zip
6b0cb5fbc4f195789bd0b66039dae96a CMake-hdf5-1.8.22.zip

$ md5sum hdf5-1.8.22.tar.bz2
0b083716131466527c2eaeb44a2a7786 hdf5-1.8.22.tar.bz2

-Barbara

michkapopoff · March 2, 2021, 5:34pm

The issue is not in the difference between the checksum algorithms. Md5 or sha256 does not matter.

What matters is that 25 days ago the file had a checksum, and since that day someone changed the file and it now reports a different checksum.

So either someone re-released the file on your side, or someone malicious replaced the file without you noticing.

lrknox · March 2, 2021, 5:47pm

Source files were re-released to ftp on Feb 5 prior to public announcement. 689b88c6a5577b05d603541ce900545779c96d62b6f83d3f23f46559b48893a4 is the checksum on the hdf5-1.8.22.tar.bz2 file created internally and copied to the public ftp site.

bljones · March 2, 2021, 6:06pm

I did a checksum on the binary in our in-house pre-release directory. It is the same as what is on the ftp server, so I think the file is okay.

Could it be that your file was downloaded prior to the announcement of the release? The release date was 2021-02-03.

Sometimes we have to update files if we catch a problem prior to the release. Once a release has been announced, the files should not change. The web page will show “Under Construction” in place of the release date until the release actually occurs:
https://portal.hdfgroup.org/display/support/HDF5%201.8.22

-Barbara

michkapopoff · March 11, 2021, 5:25pm

Yes. We have automated bots that check for new releases by looking at your FTP server, so that we can release stuff instantly. So we probably downloaded a preview file that you changed.

All good on our side, I’ll add a note that releases should be bumped on our side only when you have made the official announcement.