Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong
Package: apt
Version: 0.6.44.2
Severity: critical
Tags: security patch
Justification: breaks the whole system
The SHA256 checksums recently added to Packages files are wrong
due to a porting error when the sha256 implementation code was
imported from the Linux kernel sources to the apt source tree.
Specifically, the broken sha256 code checksums only 19 out of
every 64 bytes of input and otherwise computes a result which is
neither sha256(input) nor sha256(mangled input).
According to the changelog, the broken code was added to
non-experimental apt in version 0.6.44 uploaded 8 May 2006 .
This has the following severe consequences:
- The broken hash values obviously do not provide anything
resembling the security needed by secure apt, a problem
compounded by the broken status of the other two hash
algorithms used (MD5 and SHA1). Thus the security tag.
- When the code is fixed to produce and check correct SHA256
hashes, the fact that these values are different from the
broken values means that a correct apt will reject all Packages
files produced by a broken apt and a broken apt will reject all
Packages files produced by a correct apt. This means that
when such a new apt implementation is placed in the debian
archive, the whole system becomes impossible to install or
upgrade:
If the Packages file has bad SHA256 values, the broken apt
versions already installed by testers/users will allow
installation of the new apt, but once it has been installed,
the new apt will reject all packages and stop all further
installs.
If the Packages file has good SHA256 values, the broken apt
versions already deployed will refuse their contents, thus
preventing users from upgrading to a good apt.
This I believe justifies the "breaks whole system, critical"
tag.
To work around the "breaks whole system" issue, the following
transition plan is proposed:
1. Before uploading the fixed apt, temporarily reconfigure
darcs etc. to NOT include SHA256 values in Packages files at
all (apt-ftparchive has an option to do that).
2. Upload the fixed apt as a minimal change from the apt
version in testing, and coordinate with ftpadmin to push it
quickly through to testing. Yes, this means holding back
other bug fixes until the change has propagated.
3. Allow 1-3 weeks for users to upgrade to the fixed apt. Use
the various announce mailing lists to alert users to the
urgency of getting rid of apt versions 0.6.44 to 0.6.44.?
inclusive before the grace period ends!
4. Turn SHA256 back on in darcs etc. this makes the SHA256
security available for real. But it also means that the
archive can no longer be used by the broken 0.6.44 versions
of apt. So leave behind (on the ftp server, www server etc.)
a message explaining how users can manually upgrade to a new
apt version by downloading a .tar file and a detached .gpg
signature from ftp.debian.org/debian/tools/something . (This
would be a hand-built tar file containing replacement .so
files for each of the bad 0.6.44 apt versions and platforms).
For the security breakage, patching apt is the obvious fix.
Steps to reproduce:
$ apt-ftparchive packages somedirwithdebs
.....
Filename: somedirwithdebs/something_xyz_all.deb
SHA256: 64 wrong hex digits here
.....
$ gpg --pring-md sha256 somedirwithdebs/something_xyz_all.deb
somedirwithdebs/something_xyz_all.deb: 64 right hex digits
$ shasum -a 256 somedirwithdebs/something_xyz_all.deb
64 right hex digits somedirwithdebs/something_xyz_all.deb
$ openssl dgst -sha256 -hex somedirwithdebs/something_xyz_all.deb
SHA256(somedirwithdebs/something_xyz_all.deb)= 64 right hex
digits
$
Thus at least 3 independent SHA256 implementations agree on the
correct value, as will apt once corrected.
[Patch begin, apply to apt-0.6.44.x with patch -Np1]
diff -Naur apt-0.6.44.2.old/apt-pkg/contrib/sha256.cc apt-0.6.44.2.new/apt-pkg/contrib/sha256.cc
--- apt-0.6.44.2.orig/apt-pkg/contrib/sha256.cc 2006-05-16 19:31:39.000000000 +0000
+++ apt-0.6.44.2.new/apt-pkg/contrib/sha256.cc 2006-07-14 00:50:49.000000000 +0000
@@ -61,10 +61,10 @@
static inline void LOAD_OP(int I, u32 *W, const u8 *input)
{
- W[I] = ( ((u32) input[I + 0] << 24)
- | ((u32) input[I + 1] << 16)
- | ((u32) input[I + 2] << 8)
- | ((u32) input[I + 3]));
+ W[I] = ( ((u32) input[I * 4 + 0] << 24)
+ | ((u32) input[I * 4 + 1] << 16)
+ | ((u32) input[I * 4 + 2] << 8)
+ | ((u32) input[I * 4 + 3]));
}
static inline void BLEND_OP(int I, u32 *W)
[Patch end]
(In the Linux kernel, the same calculation used a kernel only
type and macro to do the big-endian-unaligned-32bit to
native-endian-aligned-32bit conversion, the code lines above
were written specially for apt 0.6.44 (8 May 2006) and later).
-- Package-specific info:
-- apt-config dump --
APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10";
DPkg::Pre-Install-Pkgs:: "echo -n superdoc... ; /usr/local/sbin/superdoc --undo && echo ok || echo err $? || true";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "echo -n superdoc... ; /usr/local/sbin/superdoc && echo ok || echo err $? || true";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /basnxt/bin/bash
Kernel: Linux 2.6.16jbj3.4-14
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Versions of packages apt depends on:
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-5 GCC support library
ii libstdc++6 4.1.1-5 The GNU Standard C++ Library v3
Versions of packages apt recommends:
ii debian-archive-keyring 2006.01.18 GnuPG archive keys of the Debian a
-- no debconf information
Reply to: