From 4b52cfef857b924bcda7300a690310860f5cbf63 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Mon, 07 Dec 2020 06:38:02 -0500 Subject: patches: libopkg: fix md5sum calculation --- (limited to 'patches') diff --git a/patches/libopkg-fix-md5sum-calculation.patch b/patches/libopkg-fix-md5sum-calculation.patch new file mode 100644 index 0000000..71107c5 --- /dev/null +++ b/patches/libopkg-fix-md5sum-calculation.patch @@ -0,0 +1,51 @@ +From 66f458decf9fd2839d77bf420e93d9c78025488a Mon Sep 17 00:00:00 2001 +From: Alexander Ryzhov +Date: Sun, 13 Sep 2020 14:42:56 +0200 +Subject: [PATCH] libopkg: fix md5sum calculation + +This regression prevents MD5 checksums from being checked. Packages are +still installed, but this raises several issues: + +- if only MD5 checksums are provided in the package list, it is trivial + for an attacker to modify the content of a package, since checksum + verification is bypassed. If both MD5 and SHA256 checksums are + provided, then SHA256 is correctly verified and the attack is not + possible. + +- future efforts to harden checksum verification would prevent package + installation. + +Note that OpenWrt has switched to SHA256 for all its packages several +years ago. As a result, this bug does not affect OpenWrt packages from the +official package feeds. + +However, custom package repositories that only use MD5 are affected. + +Initially submitted at https://github.com/openwrt/openwrt/pull/3087 + +Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation, +unconditionally enable sha256 support") + +Signed-off-by: Alexander Ryzhov +[Add commit description] +Signed-off-by: Baptiste Jonglez +--- + libopkg/file_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libopkg/file_util.c b/libopkg/file_util.c +index 3a1761e..8e698cc 100644 +--- a/libopkg/file_util.c ++++ b/libopkg/file_util.c +@@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name) + + len = md5sum(file_name, md5sum_bin); + +- if (len) { ++ if (len < 0) { + opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name); + return NULL; + } +-- +2.20.1 + -- cgit v0.9.1