Replies: 1 comment 1 reply
-
|
Yeah, dubious and frivolous security reports are a PITA. I had a "security researcher" warn me about a vulnerable dependency in a project NOT using any dependencies. And I had a hard time convincing him that the claim was frivolous... Such a waste of time.... He ended up calling me crazy btw... Some people in this world... |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@NicolasCARPi The report was friendly and seemed concerned. I thought it would be good to clarify this even though it is not security relevant. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I received a report stating that ZipStream is vulnerable because it uses CRC32 checksums in the ZIP central directory file headers (offset 16; see Wikipedia).
The CRC32 checksums in these headers are used to check if ZIP contents have been corrupted. However, this is not a security feature and should not be considered as one.
It is not possible to substitute the CRC32 hashing function with a different one, as CRC32 is required by the ZIP standard. Changing it would violate the specification and render the files incompatible with standard ZIP tools.
If you need to ensure that files cannot be tampered with, you should either sign the entire ZIP archive or the individual files it contains. You can employ standard mechanisms like HMAC signatures, GPG signatures, or OpenSSL digests to achieve this.
Beta Was this translation helpful? Give feedback.
All reactions