From patchwork Mon Aug 24 11:52:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baptiste Jonglez X-Patchwork-Id: 1350314 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bitsofnetworks.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=1Cqs7Wwn; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BZr9v1pRfz9sSJ for ; Mon, 24 Aug 2020 21:53:39 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=wPbeleqaLHwRemG7r+O6CKKHzD4qPJdj8lwVnXIOlrU=; b=1Cqs7Wwnlu70sX2+hyI1gE5Kv7 IHGG89AVmKOHTUOQVikF9fflpanwwS9WbM/3cdNNTq2pZUA6ImMmX2+Qnrp3Pw6CKCbC+1ZHHh8Kv Y/HXks9UZNWyxv30ZEICH9PNU+f3O4b7eyus4jtWzsp2yU8enBViTcu+MU5a1FEZMiRIrAHtcezk1 AUUWGYbMwEOnrdy7AMFeKojCp++OoLbSZqpXKmIwVBKGfZpzz1xGpGO0CcR+MjfzZL9e5+Vc8O77C qECgwkNIKL/H2LU5FNSHZGSNhmvU6r6/yobCIdFo+7dEmU+s53cuwRR1hPF4//013Zu8pJufhcD+Q qzD5llIw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAB1Y-0004Ez-H2; Mon, 24 Aug 2020 11:52:28 +0000 Received: from mails.bitsofnetworks.org ([2001:912:1800:ff::131]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAB1V-0004DZ-Tv for openwrt-devel@lists.openwrt.org; Mon, 24 Aug 2020 11:52:26 +0000 Received: from [2001:912:1800::5c8] (helo=localhost.localdomain) by mails.bitsofnetworks.org with esmtp (Exim 4.89) (envelope-from ) id 1kAB1U-0006qp-Gk; Mon, 24 Aug 2020 13:52:24 +0200 From: Baptiste Jonglez To: openwrt-devel@lists.openwrt.org Subject: [PATCH opkg] libopkg: harden checksum verification in error cases Date: Mon, 24 Aug 2020 13:52:20 +0200 Message-Id: <20200824115220.436145-1-baptiste@bitsofnetworks.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200824_075226_116018_C1318FD9 X-CRM114-Status: GOOD ( 17.00 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Baptiste Jonglez Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Baptiste Jonglez This should make it harder to exploit bugs such as CVE-2020-7982. If we can't compute the checksum of a package, we should abort. Similarly, if we can't find any checksum in the package index, this should yield an error. As an exception, installing a package directly from a file is allowed even if no checksum is found, because this is typically used without any package index. This can be useful when installing packages "manually" on a device, but is also done in several places during the OpenWrt build process. In any case, it is always possible to use the existing --force-checksum option to manually bypass these new verifications. Signed-off-by: Baptiste Jonglez --- Note: this won't apply cleanly without my earlier patch ("libopkg: move file size check after checksum verification"), although the two patches are functionally independent. libopkg/opkg_install.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c index 183a1dc..2c92800 100644 --- a/libopkg/opkg_install.c +++ b/libopkg/opkg_install.c @@ -1371,6 +1371,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) pkg_md5 = pkg_get_md5(pkg); if (pkg_md5) { file_md5 = file_md5sum_alloc(local_filename); + if (!file_md5 && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to compute md5sum of package %s.\n", + pkg->name); + return -1; + } if (file_md5 && strcmp(file_md5, pkg_md5)) { if (!conf->force_checksum) { opkg_msg(ERROR, "Package %s md5sum mismatch. " @@ -1392,6 +1397,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) pkg_sha256 = pkg_get_sha256(pkg); if (pkg_sha256) { file_sha256 = file_sha256sum_alloc(local_filename); + if (!file_sha256 && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to compute sha256sum of package %s.\n", + pkg->name); + return -1; + } if (file_sha256 && strcmp(file_sha256, pkg_sha256)) { if (!conf->force_checksum) { opkg_msg(ERROR, @@ -1410,6 +1420,16 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) free(file_sha256); } + /* Check that at least one type of checksum was found. There are + * two acceptable exceptions: + * 1) the package is explicitly installed from a local file; + * 2) the --force-checksum option is used to disable checksum verification. */ + if (!pkg_md5 && !pkg_sha256 && !pkg->provided_by_hand && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to obtain checksum of package %s from package index.\n", + pkg->name); + return -1; + } + /* Check file size */ err = lstat(local_filename, &pkg_stat);