Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong
On Fri, Jul 14, 2006 at 04:01:46AM +0200, Jakob Bohm wrote:
> Package: apt
> Version: 0.6.44.2
> Severity: critical
> Tags: security patch
> Justification: breaks the whole system
Thanks for your bugreport and your patch. I applied the patch and I
added a test in tests/hashes.cc for the sha256 code.
> The SHA256 checksums recently added to Packages files are wrong
> due to a porting error when the sha256 implementation code was
> imported from the Linux kernel sources to the apt source tree.
> Specifically, the broken sha256 code checksums only 19 out of
> every 64 bytes of input and otherwise computes a result which is
> neither sha256(input) nor sha256(mangled input).
>
> According to the changelog, the broken code was added to
> non-experimental apt in version 0.6.44 uploaded 8 May 2006 .
>
> This has the following severe consequences:
>
> - The broken hash values obviously do not provide anything
> resembling the security needed by secure apt, a problem
> compounded by the broken status of the other two hash
> algorithms used (MD5 and SHA1). Thus the security tag.
The current version of apt is not yet fully converted to use
sha256. Currently we generate them in apt-ftparchive but they are not
yet checked when the files are downloaded (only sha1/md5 is right now).
There is a branch to fully do sha256 at
http://people.ubuntu.com/~mvo/bzr/apt/sha256/
but it is not finished and there are several issues that needs to be
resolved first.
> - When the code is fixed to produce and check correct SHA256
> hashes, the fact that these values are different from the
> broken values means that a correct apt will reject all Packages
> files produced by a broken apt and a broken apt will reject all
> Packages files produced by a correct apt. This means that
> when such a new apt implementation is placed in the debian
> archive, the whole system becomes impossible to install or
> upgrade:
[..]
See above, this is not a issue right now.
Cheers,
Michael
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Reply to: