Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong

To: Jakob Bohm <jbj@image.dk>, 378183@bugs.debian.org
Subject: Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong
From: Michael Vogt <mvo@debian.org>
Date: Wed, 26 Jul 2006 19:09:50 +0200
Message-id: <[🔎] 20060726170950.GM27978@top.ping.de>
Reply-to: Michael Vogt <mvo@debian.org>, 378183@bugs.debian.org
In-reply-to: <[🔎] 20060714020146.2258.39986.reportbug@jbj3.jbj.homelinux.com>
References: <[🔎] 20060714020146.2258.39986.reportbug@jbj3.jbj.homelinux.com>

On Fri, Jul 14, 2006 at 04:01:46AM +0200, Jakob Bohm wrote:
> Package: apt
> Version: 0.6.44.2
> Severity: critical
> Tags: security patch
> Justification: breaks the whole system

Thanks for your bugreport and your patch. I applied the patch and I
added a test in tests/hashes.cc for the sha256 code.
 
> The SHA256 checksums recently added to Packages files are wrong
> due to a porting error when the sha256 implementation code was
> imported from the Linux kernel sources to the apt source tree. 
> Specifically, the broken sha256 code checksums only 19 out of
> every 64 bytes of input and otherwise computes a result which is
> neither sha256(input) nor sha256(mangled input).
> 
> According to the changelog, the broken code was added to
> non-experimental apt in version 0.6.44 uploaded 8 May 2006 .
> 
> This has the following severe consequences:
> 
> - The broken hash values obviously do not provide anything
>  resembling the security needed by secure apt, a problem
>  compounded by the broken status of the other two hash
>  algorithms used (MD5 and SHA1).  Thus the security tag.

The current version of apt is not yet fully converted to use
sha256. Currently we generate them in apt-ftparchive but they are not
yet checked when the files are downloaded (only sha1/md5 is right now).

There is a branch to fully do sha256 at
http://people.ubuntu.com/~mvo/bzr/apt/sha256/ 

but it is not finished and there are several issues that needs to be
resolved first. 

> - When the code is fixed to produce and check correct SHA256
>  hashes, the fact that these values are different from the
>  broken values means that a correct apt will reject all Packages
>  files produced by a broken apt and a broken apt will reject all
>  Packages files produced by a correct apt.  This means that
>  when such a new apt implementation is placed in the debian
>  archive, the whole system becomes impossible to install or
>  upgrade:
[..]

See above, this is not a issue right now. 

Cheers,
 Michael


-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Reply to:

References:
- Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong
  - From: Jakob Bohm <jbj@image.dk>

Prev by Date: python-apt_0.6.19exp1_i386.changes ACCEPTED
Next by Date: Processed: Fixed in upload of apt 0.6.45exp1 to experimental
Previous by thread: Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong
Next by thread: Bug#378183: marked as done (apt: All SHA256 hashes generated/used by APT are wrong)
Index(es):
- Date
- Thread