Bug#636314: apt: Packages.bz2 checksum mismatch not detected
On Fri, Aug 05, 2011 at 12:32:17PM +0200, Michael Vogt wrote:
> On Tue, Aug 02, 2011 at 04:14:18AM -0400, Hamish Moffatt wrote:
> > Package: apt
> > Version: 0.8.10.3+squeeze1
> > Severity: important
>
> Thanks for your bugreport.
>
> > I have a test repository containing a Packages.bz2 file with different
> > checksums than what is listed in the signed Release file. However,
> > 'apt-get update' does not report any error and shows the resulting
> > packages in the output of 'apt-cache policy'.
> >
> > This occurs when accessing the repository with http. I think I have seen
> > errors reported when using file:/ urls (and uncompressed Packages) files
> > but I am not certain now.
> >
> > I've attached a test repository; it's not signed, but I've tried with
> > signed repositories too. eg rsync dists/squeeze from a Debian mirror
> > then mess with main/binary-i386/Packages.bz2
>
> I can verify this for unsigned Release files, there is indeed no
> hashsum verification in this case. I added a testcase and a fix to the
> debian-sid branch. But I was not able to verify this for signed
> Release files, I get correct errors in this case on apt-get update on
> mismaches (I added a test for this as well to the testsuite to be
> sure).
Thanks. By the way I found this problem in lucid originally and verified
on squeeze before reporting it there.
However I am seeing the problem with what I believe is a correctly
signed repository. For example the repository inside the tar I attached
to the original report. I think the key for it is on keyserver.ubuntu.com.
As a second dist, I copied down dists/ from a debian mirror, repacked a
Packages.bz2 for main/binary-i386 to ensure the md5sum changed, then ran
apt-get update against it. There was no error and apt-cache policy
showed that apt considered the source valid.
Hamish
Reply to: