diff options
author | Patrick McDermott <patrick.mcdermott@libiquity.com> | 2020-12-07 06:38:02 (EST) |
---|---|---|
committer | Patrick McDermott <patrick.mcdermott@libiquity.com> | 2020-12-07 06:39:07 (EST) |
commit | 4b52cfef857b924bcda7300a690310860f5cbf63 (patch) | |
tree | 9fee28e562765a3399f71c52641527b8ca88129b /patches | |
parent | bcdc3f94cca64d962b1ebd6053ad10f93d736bb6 (diff) |
patches: libopkg: fix md5sum calculation
Diffstat (limited to 'patches')
-rw-r--r-- | patches/libopkg-fix-md5sum-calculation.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/patches/libopkg-fix-md5sum-calculation.patch b/patches/libopkg-fix-md5sum-calculation.patch new file mode 100644 index 0000000..71107c5 --- /dev/null +++ b/patches/libopkg-fix-md5sum-calculation.patch @@ -0,0 +1,51 @@ +From 66f458decf9fd2839d77bf420e93d9c78025488a Mon Sep 17 00:00:00 2001 +From: Alexander Ryzhov <github@ryzhov-al.ru> +Date: Sun, 13 Sep 2020 14:42:56 +0200 +Subject: [PATCH] libopkg: fix md5sum calculation + +This regression prevents MD5 checksums from being checked. Packages are +still installed, but this raises several issues: + +- if only MD5 checksums are provided in the package list, it is trivial + for an attacker to modify the content of a package, since checksum + verification is bypassed. If both MD5 and SHA256 checksums are + provided, then SHA256 is correctly verified and the attack is not + possible. + +- future efforts to harden checksum verification would prevent package + installation. + +Note that OpenWrt has switched to SHA256 for all its packages several +years ago. As a result, this bug does not affect OpenWrt packages from the +official package feeds. + +However, custom package repositories that only use MD5 are affected. + +Initially submitted at https://github.com/openwrt/openwrt/pull/3087 + +Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation, +unconditionally enable sha256 support") + +Signed-off-by: Alexander Ryzhov <github@ryzhov-al.ru> +[Add commit description] +Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> +--- + libopkg/file_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libopkg/file_util.c b/libopkg/file_util.c +index 3a1761e..8e698cc 100644 +--- a/libopkg/file_util.c ++++ b/libopkg/file_util.c +@@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name) + + len = md5sum(file_name, md5sum_bin); + +- if (len) { ++ if (len < 0) { + opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name); + return NULL; + } +-- +2.20.1 + |