# sha256 hash on zonefiles



## spekje (Oct 28, 2014)

Hi,

While running `freebsd-update IDS` I'm getting some interesting output:


```
/usr/share/zoneinfo/America/Kralendijk has SHA256 hash a237c0b90a8013e17963ed4554a21ce5f6dc93838de07570adfbb13820eae842, but should have SHA256 hash 4527d90b16e6cbad09e4fe5c000bc6feaa9a88b5fbd32e868a6638fa4425d62e.
/usr/share/zoneinfo/America/Lower_Princes has SHA256 hash a237c0b90a8013e17963ed4554a21ce5f6dc93838de07570adfbb13820eae842, but should have SHA256 hash 4527d90b16e6cbad09e4fe5c000bc6feaa9a88b5fbd32e868a6638fa4425d62e.
/usr/share/zoneinfo/America/Marigot has SHA256 hash 156b53a49b3745f2568085f61a8f2d3520d05edc3cdd6a201762dd7b85f47f2c, but should have SHA256 hash 78d5c7e8d77694cbf69ab03fde20ffc49b0aff2c63b2146e872bced2eafb758f.
/usr/share/zoneinfo/America/St_Barthelemy has SHA256 hash 156b53a49b3745f2568085f61a8f2d3520d05edc3cdd6a201762dd7b85f47f2c, but should have SHA256 hash 78d5c7e8d77694cbf69ab03fde20ffc49b0aff2c63b2146e872bced2eafb758f.
/usr/share/zoneinfo/Europe/Istanbul has SHA256 hash 076a7cbad8f9231b7368f0f9b0d0598b62e2da7203aa5594c75fc27923ccac79, but should have SHA256 hash 315f097c5b0c1f253348ad61d3dcb1451d53c6ea81fd91473699a2cc0665fc4e.
/usr/share/zoneinfo/Europe/Mariehamn has SHA256 hash 4cc339a3a2242cca29f83f5dafa8781fc00b10e26237d1a65b5be89e03083e45, but should have SHA256 hash 5d9a6f56575174baefe467516be0a2c20367980da17ded6d3780a4d86920aedc.
```
I'm getting this on several versions and patchlevels.

I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194173 and have some idea that it's related to this but I don't understand why the sha256 hash is not correct if I did not make a change/did the update yet. I would expect my unpatched install to not suddenly fail this 'IDS' check as nothing has changed on my side. The output would lead me to think my system is compromised while it seems only the hashes have been updated.

Does somebody know more about this?

Regards,
Marjan


----------



## junovitch@ (Oct 28, 2014)

Have you run `freebsd-update fetch install` lately?  The most likely candidate is probably the patch for timezone updates if that was the case.  Maybe something got corrupted with the updates.  Check here for details:  https://www.freebsd.org/security/advisories/FreeBSD-EN-14:10.tzdata.asc


----------



## spekje (Oct 29, 2014)

Hi,

The link you're mentioning is related to my link. I haven't done an update so that should not be it.

Regards,
Marjan


----------



## bluuurgh (Jan 6, 2015)

Hmm, I've been seeing this too. I would expect a non-updated system to not suddenly get different hashes offered.

The IDS functionality should point out when something has been changed on a running system, not when something has changed in the FreeBSD repo. This causes users to believe their systems could be infected while nothing has ever changed.


----------



## junovitch@ (Jan 7, 2015)

All `freebsd-update` is doing here is comparing a list of what it has retrieved from the update servers in this form /path/to/file|type|device-inum|user|group|perm|flags|value where value is the SHA hash and showing when something doesn't match up with what is expected.  It should only show something intentionally changed or perhaps corrupted (either the file or the index in /var/db/freebsd-update) where the values don't match.


----------

