diff mbox series

[opkg] libopkg: harden checksum verification in error cases

Message ID 20200824115220.436145-1-baptiste@bitsofnetworks.org
State Superseded
Headers show
Series [opkg] libopkg: harden checksum verification in error cases | expand

Commit Message

Baptiste Jonglez Aug. 24, 2020, 11:52 a.m. UTC 
From: Baptiste Jonglez <git@bitsofnetworks.org>

This should make it harder to exploit bugs such as CVE-2020-7982.

If we can't compute the checksum of a package, we should abort.

Similarly, if we can't find any checksum in the package index, this should
yield an error.

As an exception, installing a package directly from a file is allowed even
if no checksum is found, because this is typically used without any
package index.  This can be useful when installing packages "manually" on
a device, but is also done in several places during the OpenWrt build
process.

In any case, it is always possible to use the existing --force-checksum
option to manually bypass these new verifications.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
---

Note: this won't apply cleanly without my earlier patch ("libopkg: move file
size check after checksum verification"), although the two patches are
functionally independent.

 libopkg/opkg_install.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
diff mbox series

Patch

diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c
index 183a1dc..2c92800 100644
--- a/libopkg/opkg_install.c
+++ b/libopkg/opkg_install.c
@@ -1371,6 +1371,11 @@  int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 	pkg_md5 = pkg_get_md5(pkg);
 	if (pkg_md5) {
 		file_md5 = file_md5sum_alloc(local_filename);
+		if (!file_md5 && !conf->force_checksum) {
+			opkg_msg(ERROR, "Failed to compute md5sum of package %s.\n",
+				 pkg->name);
+			return -1;
+		}
 		if (file_md5 && strcmp(file_md5, pkg_md5)) {
 			if (!conf->force_checksum) {
 				opkg_msg(ERROR, "Package %s md5sum mismatch. "
@@ -1392,6 +1397,11 @@  int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 	pkg_sha256 = pkg_get_sha256(pkg);
 	if (pkg_sha256) {
 		file_sha256 = file_sha256sum_alloc(local_filename);
+		if (!file_sha256 && !conf->force_checksum) {
+			opkg_msg(ERROR, "Failed to compute sha256sum of package %s.\n",
+				 pkg->name);
+			return -1;
+		}
 		if (file_sha256 && strcmp(file_sha256, pkg_sha256)) {
 			if (!conf->force_checksum) {
 				opkg_msg(ERROR,
@@ -1410,6 +1420,16 @@  int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 			free(file_sha256);
 	}
 
+	/* Check that at least one type of checksum was found.  There are
+	 * two acceptable exceptions:
+	 * 1) the package is explicitly installed from a local file;
+	 * 2) the --force-checksum option is used to disable checksum verification. */
+	if (!pkg_md5 && !pkg_sha256 && !pkg->provided_by_hand && !conf->force_checksum) {
+		opkg_msg(ERROR, "Failed to obtain checksum of package %s from package index.\n",
+			 pkg->name);
+		return -1;
+	}
+
 	/* Check file size */
 	err = lstat(local_filename, &pkg_stat);