From patchwork Sun Sep 13 12:42:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baptiste Jonglez X-Patchwork-Id: 1363086 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bitsofnetworks.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=DuLv+G8C; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bq8Nt5h8Qz9sTN for ; Sun, 13 Sep 2020 22:45:50 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=yXb9ChCmr+rowgJFkJiRmIVXXuupbWIuIKeSrhpw7ZQ=; b=DuLv+G8C2hgUJ4DGr0Q0BU9AXX nTtwCIZlYCH+5nhErO2UhTXci1jnwMYDMaZLhcWLX7n4zjoII/XVyKrxo94rLCYt8BCAQo0cTfBjI 10GEPw4CKGdxzeAYculgsnWkDYL3lsFzDa/tBzDQ1FMxxR+103VdXJkeUcpmMefzgFAczoMeLnwng svTmmD1JzZsXPSVs6L+4/dNS0YGLpOk8UGk/WeXAtSk1VIvSBCjqAycc14rt1CIuqousCvbFIvgzk CPNbm+nJuV+q3fFUX7J0jFtRM96hpAEBEaYK6w4xhIm2XwvxgPMYruwGF3sR10WkRD4S+2FDZfE14 miT6faSg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kHRLy-0005ae-Du; Sun, 13 Sep 2020 12:43:34 +0000 Received: from mails.bitsofnetworks.org ([2001:912:1800:ff::131]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kHRLt-0005aB-UH for openwrt-devel@lists.openwrt.org; Sun, 13 Sep 2020 12:43:30 +0000 Received: from [2001:912:1800::5c8] (helo=localhost.localdomain) by mails.bitsofnetworks.org with esmtp (Exim 4.89) (envelope-from ) id 1kHRLn-0004NC-PY; Sun, 13 Sep 2020 14:43:23 +0200 From: Baptiste Jonglez To: openwrt-devel@lists.openwrt.org Subject: [PATCH opkg] libopkg: fix md5sum calculation Date: Sun, 13 Sep 2020 14:42:56 +0200 Message-Id: <20200913124256.893496-1-baptiste@bitsofnetworks.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200913_084330_098807_8937200F X-CRM114-Status: GOOD ( 15.25 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Ryzhov , Baptiste Jonglez Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Alexander Ryzhov This regression prevents MD5 checksums from being checked. Packages are still installed, but this raises several issues: - if only MD5 checksums are provided in the package list, it is trivial for an attacker to modify the content of a package, since checksum verification is bypassed. If both MD5 and SHA256 checksums are provided, then SHA256 is correctly verified and the attack is not possible. - future efforts to harden checksum verification would prevent package installation. Note that OpenWrt has switched to SHA256 for all its packages several years ago. As a result, this bug does not affect OpenWrt packages from the official package feeds. However, custom package repositories that only use MD5 are affected. Initially submitted at https://github.com/openwrt/openwrt/pull/3087 Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation, unconditionally enable sha256 support") Signed-off-by: Alexander Ryzhov [Add commit description] Signed-off-by: Baptiste Jonglez --- libopkg/file_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libopkg/file_util.c b/libopkg/file_util.c index 3a1761e..8e698cc 100644 --- a/libopkg/file_util.c +++ b/libopkg/file_util.c @@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name) len = md5sum(file_name, md5sum_bin); - if (len) { + if (len < 0) { opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name); return NULL; }