summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McDermott <patrick.mcdermott@libiquity.com>2020-12-07 06:38:02 (EST)
committer Patrick McDermott <patrick.mcdermott@libiquity.com>2020-12-07 06:39:07 (EST)
commit4b52cfef857b924bcda7300a690310860f5cbf63 (patch)
tree9fee28e562765a3399f71c52641527b8ca88129b
parentbcdc3f94cca64d962b1ebd6053ad10f93d736bb6 (diff)
patches: libopkg: fix md5sum calculation
-rw-r--r--changelog2
-rw-r--r--patches/libopkg-fix-md5sum-calculation.patch51
2 files changed, 53 insertions, 0 deletions
diff --git a/changelog b/changelog
index c72e1be..4450781 100644
--- a/changelog
+++ b/changelog
@@ -7,6 +7,8 @@ opkg-lede (0+git20190131.d4ba162-7) trunk
attempts to execute gzip after removing busybox, whereas opkg
didn't) and
- Accepts an -a/--host-architecture option for multiarch support.
+ * Add patch from upstream to fix "file_md5sum_alloc: Could't compute
+ md5sum" errors.
-- Patrick McDermott <patrick.mcdermott@libiquity.com> Thu, 18 Jun 2020 12:50:01 -0400
diff --git a/patches/libopkg-fix-md5sum-calculation.patch b/patches/libopkg-fix-md5sum-calculation.patch
new file mode 100644
index 0000000..71107c5
--- /dev/null
+++ b/patches/libopkg-fix-md5sum-calculation.patch
@@ -0,0 +1,51 @@
+From 66f458decf9fd2839d77bf420e93d9c78025488a Mon Sep 17 00:00:00 2001
+From: Alexander Ryzhov <github@ryzhov-al.ru>
+Date: Sun, 13 Sep 2020 14:42:56 +0200
+Subject: [PATCH] libopkg: fix md5sum calculation
+
+This regression prevents MD5 checksums from being checked. Packages are
+still installed, but this raises several issues:
+
+- if only MD5 checksums are provided in the package list, it is trivial
+ for an attacker to modify the content of a package, since checksum
+ verification is bypassed. If both MD5 and SHA256 checksums are
+ provided, then SHA256 is correctly verified and the attack is not
+ possible.
+
+- future efforts to harden checksum verification would prevent package
+ installation.
+
+Note that OpenWrt has switched to SHA256 for all its packages several
+years ago. As a result, this bug does not affect OpenWrt packages from the
+official package feeds.
+
+However, custom package repositories that only use MD5 are affected.
+
+Initially submitted at https://github.com/openwrt/openwrt/pull/3087
+
+Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation,
+unconditionally enable sha256 support")
+
+Signed-off-by: Alexander Ryzhov <github@ryzhov-al.ru>
+[Add commit description]
+Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
+---
+ libopkg/file_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index 3a1761e..8e698cc 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name)
+
+ len = md5sum(file_name, md5sum_bin);
+
+- if (len) {
++ if (len < 0) {
+ opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name);
+ return NULL;
+ }
+--
+2.20.1
+