From 66f458decf9fd2839d77bf420e93d9c78025488a Mon Sep 17 00:00:00 2001 From: Alexander Ryzhov Date: Sun, 13 Sep 2020 14:42:56 +0200 Subject: [PATCH] libopkg: fix md5sum calculation This regression prevents MD5 checksums from being checked. Packages are still installed, but this raises several issues: - if only MD5 checksums are provided in the package list, it is trivial for an attacker to modify the content of a package, since checksum verification is bypassed. If both MD5 and SHA256 checksums are provided, then SHA256 is correctly verified and the attack is not possible. - future efforts to harden checksum verification would prevent package installation. Note that OpenWrt has switched to SHA256 for all its packages several years ago. As a result, this bug does not affect OpenWrt packages from the official package feeds. However, custom package repositories that only use MD5 are affected. Initially submitted at https://github.com/openwrt/openwrt/pull/3087 Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation, unconditionally enable sha256 support") Signed-off-by: Alexander Ryzhov [Add commit description] Signed-off-by: Baptiste Jonglez --- libopkg/file_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libopkg/file_util.c b/libopkg/file_util.c index 3a1761e..8e698cc 100644 --- a/libopkg/file_util.c +++ b/libopkg/file_util.c @@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name) len = md5sum(file_name, md5sum_bin); - if (len) { + if (len < 0) { opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name); return NULL; } -- 2.20.1