Bug#775449: Provide sha size param instead of using environmental variable
Package: debootstrap
Tags: security patch
I am not comfortable with allowing a SHA_SIZE environmental variable,
defined at some point prior to running debootstrap, to dictate the
security of checksum verification performed by debootstrap. I would much
prefer to see the default overridden only by an explicitly provided
parameter.
The patch attached implements this.
The patch:
- Adds provision of a new --sha-size parameter for specifying the size
variant of the sha checksum binary to use.
- Preserves the current default of 256.
- Builds on top of my bug #775444 patch to replace the new 'sha binary
unavailable warning' with an error.
- Removes the sha1 fallback, requiring users to explicitly specify
--sha-size=1 if they need sha1sum to be used.
commit cce61c7c3d89293506817df0dd6ee646b8d8092e
Author: jnqnfe <jnqnfe@gmail.com>
Date: Thu Jan 15 19:38:44 2015 +0000
Provide sha size param instead of using environmental variable
diff --git a/debootstrap b/debootstrap
index c383517..8d40818 100755
--- a/debootstrap
+++ b/debootstrap
@@ -46,6 +46,7 @@ VERBOSE=""
CERTIFICATE=""
CHECKCERTIF=""
PRIVATEKEY=""
+SHA_SIZE=""
DEF_MIRROR="http://ftp.us.debian.org/debian"
DEF_HTTPS_MIRROR="https://mirrors.kernel.org/debian"
@@ -118,6 +119,8 @@ usage()
--private-key=file read the private key from file
--certificate=file use the client certificate stored in file (PEM)
--no-check-certificate do not check certificate against certificate authorities
+ --sha-size=size used for specifying which size variant of sha checksum to
+ use in performing checksum verifications, default is 256
EOF
}
@@ -345,6 +348,17 @@ if [ $# != 0 ] ; then
CHECKCERTIF="--no-check-certificate"
shift
;;
+ --sha-size|--sha-size=?*)
+ if [ "$1" = "--sha-size" -a -n "$2" ]; then
+ SHA_SIZE="--sha-size=$2"
+ shift 2
+ elif [ "$1" != "${1#--sha-size=}" ]; then
+ SHA_SIZE="--sha-size=${1#--sha-size=}"
+ shift 1
+ else
+ error 1 NEEDARG "option requires an argument %s" "$1"
+ fi
+ ;;
--*)
error 1 BADARG "unrecognized or invalid option %s" "$1"
;;
@@ -461,8 +475,7 @@ if [ -z "$SHA_SIZE" ]; then
SHA_SIZE=256
fi
if ! in_path "sha${SHA_SIZE}sum" && ! in_path "sha${SHA_SIZE}"; then
- warning SHA_SIZE "Cannot find binary for checking sha%s checksums, falling back to sha1" "${SHA_SIZE}"
- SHA_SIZE=1
+ error 1 SHA_SIZE "Cannot find binary for checking sha%s checksums" "${SHA_SIZE}"
fi
DEBOOTSTRAP_CHECKSUM_FIELD="SHA$SHA_SIZE"
Reply to: