summaryrefslogtreecommitdiffstats
path: root/patches/libopkg-fix-md5sum-calculation.patch
blob: 71107c5a03e29678f3e9c5e928a06deb01e99adb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
From 66f458decf9fd2839d77bf420e93d9c78025488a Mon Sep 17 00:00:00 2001
From: Alexander Ryzhov <github@ryzhov-al.ru>
Date: Sun, 13 Sep 2020 14:42:56 +0200
Subject: [PATCH] libopkg: fix md5sum calculation

This regression prevents MD5 checksums from being checked. Packages are
still installed, but this raises several issues:

- if only MD5 checksums are provided in the package list, it is trivial
  for an attacker to modify the content of a package, since checksum
  verification is bypassed. If both MD5 and SHA256 checksums are
  provided, then SHA256 is correctly verified and the attack is not
  possible.

- future efforts to harden checksum verification would prevent package
  installation.

Note that OpenWrt has switched to SHA256 for all its packages several
years ago. As a result, this bug does not affect OpenWrt packages from the
official package feeds.

However, custom package repositories that only use MD5 are affected.

Initially submitted at https://github.com/openwrt/openwrt/pull/3087

Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation,
unconditionally enable sha256 support")

Signed-off-by: Alexander Ryzhov <github@ryzhov-al.ru>
[Add commit description]
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
---
 libopkg/file_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libopkg/file_util.c b/libopkg/file_util.c
index 3a1761e..8e698cc 100644
--- a/libopkg/file_util.c
+++ b/libopkg/file_util.c
@@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name)
 
 	len = md5sum(file_name, md5sum_bin);
 
-	if (len) {
+	if (len < 0) {
 		opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name);
 		return NULL;
 	}
-- 
2.20.1