Bug#796474: busybox: mishandles non-hash lines in sha512sum and friends

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#796474: busybox: mishandles non-hash lines in sha512sum and friends
From: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Fri, 21 Aug 2015 23:18:25 +0000
Message-id: <[🔎] 20150821231821.GA187804@vauxhall.crustytoothpaste.net>
Reply-to: "brian m. carlson" <sandals@crustytoothpaste.net>, 796474@bugs.debian.org

Package: busybox-static
Version: 1:1.22.0-15
Severity: normal

I have an OpenPGP-signed file that contains lines produced by
sha512sum[0].  Running sha512sum -c on it exits 0, noting the
improperly-formatted lines:

  vauxhall ok % LC_ALL=C sha512sum -c SHA512SUMS; echo $?
  0223b187.asc: OK
  README.adoc: OK
  README.xhtml: OK
  otr.adoc: OK
  otr.xhtml: OK
  ssh-keys.txt: OK
  sha512sum: WARNING: 20 lines are improperly formatted
  0

However, busybox's sha512sum exits 1:

  vauxhall no % LC_ALL=C busybox sha512sum -c SHA512SUMS; echo $?
  0223b187.asc: OK
  README.adoc: OK
  README.xhtml: OK
  otr.adoc: OK
  otr.xhtml: OK
  ssh-keys.txt: OK
  sha512sum: WARNING: 20 of 26 computed checksums did NOT match
  1

Furthermore, it claims that there were 20 computed checksums that did
not match, which is untrue and misleading.  As there were no
corresponding files, it did not compute any checksums for those lines,
and all the checksums it did compute did, in fact, match.

OpenPGP clearsigning hash files is not uncommon; for example, kernel.org
does it[1].  busybox's sha512sum (and sha256sum, etc.) should exit 0 on
success even in the face of ill-formed lines, and it should accurately
reflect that those lines were ill-formed and not lead the user to
believe that there was a mismatch when there was not.

[0] Available at https://www.crustytoothpaste.net/~bmc/keys/
[1] https://www.kernel.org/pub/software/scm/git/sha256sums.asc

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#796470: debian-installer: amd64 and i386 netboot/mini.iso do not boot on qemu
Next by Date: Bug#787131: debian-installer-launcher: stores the distribution name at build-time ("Debian sid" even in Jessie)
Previous by thread: Bug#796470: debian-installer: amd64 and i386 netboot/mini.iso do not boot on qemu
Next by thread: Bug#787131: debian-installer-launcher: stores the distribution name at build-time ("Debian sid" even in Jessie)
Index(es):
- Date
- Thread