Bug#636314: apt: Packages.bz2 checksum mismatch not detected

To: Michael Vogt <mvo@debian.org>
Cc: 636314@bugs.debian.org
Subject: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
From: Hamish Moffatt <hamish@debian.org>
Date: Fri, 5 Aug 2011 09:05:19 -0400
Message-id: <[🔎] 20110805130519.GA13143@risingsoftware.com>
Reply-to: Hamish Moffatt <hamish@debian.org>, 636314@bugs.debian.org
In-reply-to: <[🔎] 20110805120426.GE10369@localhost>
References: <[🔎] 20110802081418.28159.9767.reportbug@li154-67.members.linode.com> <[🔎] 20110805103217.GB25492@localhost> <[🔎] 20110805112315.GA12058@risingsoftware.com> <[🔎] 20110805120426.GE10369@localhost>
On Fri, Aug 05, 2011 at 02:04:27PM +0200, Michael Vogt wrote:
> On Fri, Aug 05, 2011 at 07:23:15AM -0400, Hamish Moffatt wrote:
> The test-bz2-hash-error.tar that is attached to the bug does not have
> a Release.gpg file. With this unsigned archive there is indeed no
> hashsum check.

So it is, my apologies.

> > As a second dist, I copied down dists/ from a debian mirror, repacked a
> > Packages.bz2 for main/binary-i386 to ensure the md5sum changed, then ran
> > apt-get update against it. There was no error and apt-cache policy
> > showed that apt considered the source valid.
> 
> I just did something similar, i wget Release and Release.gpg, then
> binary-i386/Packages.bz2 into /var/www, modified its content and ran
> apt-get update on a sources.list that points to http://localhost/ 
> 
> With both current trunk and the apt in squeeze I got the expected
> "Hash Sum mismatch" error and no Packages file in /var/lib/apt/lists
> 
> If you can reproduce this, I would love to get the output of 
> "apt-get update -o Debug::pkgAcquire::Auth=true" and steps how to
> reproduce this. I'm also available on irc as "mvo" on oftc and
> freenode for faster turnaround. As this report is quite concerning, I
> would really like to get to the bottom of this as quickly as
> possible.
> 
> One thing I can think of is that apt does not verify the content in
> /var/lib/apt/lists again after it got downloaded, so if the Packages
> file in there is modified locally, then apt will not catch that.

I had trouble catching the debug output in a useful way, I suspect
because it's coming from the sub-processes. "apt-get ... 2>&1" doesn't
grab it and "script" produced rather a mess. I'll try to paste it below.

In my sources.list I have:

deb http://www.risingsoftware.com/~hamish/deb squeeze main

You are welcome to test against this.

I renamed the original Packages.bz2 to .real and repacked it.
The sha256sums are:
114ce0441b921dd4a83788805438055d1c6f8de66a1c4c327de31ffaf65a729d dists/squeeze/main/binary-i386/Packages.bz2
61d6edde3f1572dd92f44dc134b4024d30cbf3c24a856b914a8844a6fcdc613b dists/squeeze/main/binary-i386/Packages.bz2.real

and the Release file says
61d6edde3f1572dd92f44dc134b4024d30cbf3c24a856b914a8844a6fcdc613b 6566963 main/binary-i386/Packages.bz2

I removed the cached lists from /var/lib/apt/lists first.

Hamish

[ 9:02AM] hamish@li154-67:~ $ sudo apt-get update -o Debug::pkgAcquire::Auth=true
Get:1 http://www.risingsoftware.com squeeze Release.gpg [1,672 B]
Ign http://www.risingsoftware.com/~hamish/deb/ squeeze/main Translation-en
Ign http://www.risingsoftware.com/~hamish/deb/ squeeze/main Translation-en_AU
Get:2 http://www.risingsoftware.com squeeze Release [104 kB]
60% [Connecting to ftp.us.debian.org] [Connecting to security.debian.org (212.211.132.250)] [2 Release 62.1 kB/104 kB 59%]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/www.risingsoftware.com_%7ehamish_deb_dists_squeeze_Release.gpg,/var/lib/apt/lists/partial/www.risingsoftware.com_%7ehamish_deb_dists_squeeze_Release)
99% [2 Release gpgv 104 kB] [Connecting to ftp.us.debian.org (199.6.12.70)] [Connecting to security.debian.org (212.211.132.250)]Got Codename: squeeze
Expecting Dist: squeeze
Transformed Dist: squeeze
Signature verification succeeded: /var/lib/apt/lists/partial/www.risingsoftware.com_%7ehamish_deb_dists_squeeze_Release
Queueing: http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages
Expected Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece
Get:3 http://www.risingsoftware.com squeeze/main i386 Packages [7,816 kB]
Hit http://ftp.us.debian.org squeeze Release.gpg
Ign http://ftp.us.debian.org/debian/ squeeze/contrib Translation-en
Ign http://ftp.us.debian.org/debian/ squeeze/contrib Translation-en_AU
Ign http://ftp.us.debian.org/debian/ squeeze/main Translation-en
Ign http://ftp.us.debian.org/debian/ squeeze/main Translation-en_AU
Ign http://ftp.us.debian.org/debian/ squeeze/non-free Translation-en
Ign http://ftp.us.debian.org/debian/ squeeze/non-free Translation-en_AU
Hit http://ftp.us.debian.org squeeze-updates Release.gpg
Ign http://ftp.us.debian.org/debian/ squeeze-updates/contrib Translation-en
Ign http://ftp.us.debian.org/debian/ squeeze-updates/contrib Translation-en_AU
Ign http://ftp.us.debian.org/debian/ squeeze-updates/main Translation-en
Ign http://ftp.us.debian.org/debian/ squeeze-updates/main Translation-en_AU
Ign http://ftp.us.debian.org/debian/ squeeze-updates/non-free Translation-en
Ign http://ftp.us.debian.org/debian/ squeeze-updates/non-free Translation-en_AU
84% [Waiting for headers] [3 Packages 6,619 kB/7,816 kB 84%]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_squeeze_Release.gpg,/var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_Release)
Hit http://ftp.us.debian.org squeeze Release
84% [Waiting for headers] [Waiting for headers] [3 Packages 6,619 kB/7,816 kB 84%]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_squeeze-updates_Release.gpg,/var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze-updates_Release)
Hit http://ftp.us.debian.org squeeze-updates Release
84% [Release gpgv 104 kB] [Waiting for headers] [3 Packages 6,623 kB/7,816 kB 84%]Got Codename: squeeze
Expecting Dist: squeeze
Transformed Dist: squeeze
Signature verification succeeded: /var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_Release
Queueing: http://ftp.us.debian.org/debian/dists/squeeze/main/source/Sources
Expected Hash: SHA256:a36b4dbd279c55c19262f7328123c0199209398223453b1d503de49fc7d7fe3a
Queueing: http://ftp.us.debian.org/debian/dists/squeeze/non-free/source/Sources
Expected Hash: SHA256:4e40b53e633ce78958d3c4b024f218345151947acc717ff3099be9995c966124
Queueing: http://ftp.us.debian.org/debian/dists/squeeze/contrib/source/Sources
Expected Hash: SHA256:31797608cfd95a8817d1d5347ea7bce50230cce2289db25c7b8a35d8b7f868a0
Queueing: http://ftp.us.debian.org/debian/dists/squeeze/main/binary-i386/Packages
Expected Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece
Queueing: http://ftp.us.debian.org/debian/dists/squeeze/non-free/binary-i386/Packages
Expected Hash: SHA256:2b317a5a4ea6266efc384fc4ba8d092bf1dceebb99f1b91427f8a1bd14bcb28f
Queueing: http://ftp.us.debian.org/debian/dists/squeeze/contrib/binary-i386/Packages
Expected Hash: SHA256:e0aa709917596a3ef5cd69bf47e24ed738e5fdd2b96ce68400c4dcc38cc71857
90% [Release gpgv 113 kB] [Waiting for headers] [3 Packages 7,078 kB/7,816 kB 90%]Got Codename: squeeze-updates
Expecting Dist: squeeze-updates
Transformed Dist: squeeze-updates
Signature verification succeeded: /var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze-updates_Release
Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/main/source/Sources
Expected Hash: SHA256:065d3a955db08f050c998c1daf6f6eaf42aa08e82b4288131a3783137d2548b6
Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/source/Sources
Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/source/Sources
Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/main/binary-i386/Packages
Expected Hash: SHA256:14e9a18ec616cc37f12cdeeec18a174425c8d5db4e17e53f81308d99189e6329
Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/binary-i386/Packages
Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/binary-i386/Packages
Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
94% [Waiting for headers] [Waiting for headers] [3 Packages 7,406 kB/7,816 kB 94%]201 URI Done: http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages.bz2
RecivedHash: SHA256:114ce0441b921dd4a83788805438055d1c6f8de66a1c4c327de31ffaf65a729d
ExpectedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece

Hit http://security.debian.org squeeze/updates Release.gpg
Ign http://security.debian.org/ squeeze/updates/contrib Translation-en
Ign http://security.debian.org/ squeeze/updates/contrib Translation-en_AU
99% [3 Packages bzip2 0 B] [Waiting for headers] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/main/source/Sources.bz2
RecivedHash:
ExpectedHash: SHA256:a36b4dbd279c55c19262f7328123c0199209398223453b1d503de49fc7d7fe3a

Hit http://ftp.us.debian.org squeeze/main Sources
99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/non-free/source/Sources.bz2
RecivedHash:
ExpectedHash: SHA256:4e40b53e633ce78958d3c4b024f218345151947acc717ff3099be9995c966124

Hit http://ftp.us.debian.org squeeze/non-free Sources
201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/contrib/source/Sources.bz2
RecivedHash:
ExpectedHash: SHA256:31797608cfd95a8817d1d5347ea7bce50230cce2289db25c7b8a35d8b7f868a0

Hit http://ftp.us.debian.org squeeze/contrib Sources
201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/main/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece

Hit http://ftp.us.debian.org squeeze/main i386 Packages
201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/non-free/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:2b317a5a4ea6266efc384fc4ba8d092bf1dceebb99f1b91427f8a1bd14bcb28f

Hit http://ftp.us.debian.org squeeze/non-free i386 Packages
201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/contrib/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:e0aa709917596a3ef5cd69bf47e24ed738e5fdd2b96ce68400c4dcc38cc71857

Hit http://ftp.us.debian.org squeeze/contrib i386 Packages
Hit http://ftp.us.debian.org squeeze-updates/main Sources/DiffIndex
99% [3 Packages bzip2 0 B] [Waiting for headers] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/source/Sources.bz2
RecivedHash:
ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Hit http://ftp.us.debian.org squeeze-updates/non-free Sources
201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/source/Sources.bz2
RecivedHash:
ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Hit http://ftp.us.debian.org squeeze-updates/contrib Sources
Hit http://ftp.us.debian.org squeeze-updates/main i386 Packages/DiffIndex
201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Hit http://ftp.us.debian.org squeeze-updates/non-free i386 Packages
Ign http://security.debian.org/ squeeze/updates/main Translation-en
Ign http://security.debian.org/ squeeze/updates/main Translation-en_AU
Ign http://security.debian.org/ squeeze/updates/non-free Translation-en
Ign http://security.debian.org/ squeeze/updates/non-free Translation-en_AU
99% [3 Packages bzip2 0 B] [Waiting for headers]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/security.debian.org_dists_squeeze_updates_Release.gpg,/var/lib/apt/lists/security.debian.org_dists_squeeze_updates_Release)
Hit http://security.debian.org squeeze/updates Release
99% [3 Packages bzip2 0 B] [Release gpgv 38.4 kB] [Waiting for headers]Got Codename: squeeze
Expecting Dist: squeeze/updates
Transformed Dist: squeeze
Signature verification succeeded: /var/lib/apt/lists/security.debian.org_dists_squeeze_updates_Release
Queueing: http://security.debian.org/dists/squeeze/updates/main/binary-i386/Packages
Expected Hash: SHA256:9a4d69cc4792a78191af6b31b3f24080aa67339bc836a6d6a989278f9757f305
Queueing: http://security.debian.org/dists/squeeze/updates/contrib/binary-i386/Packages
Expected Hash: SHA256:f0f4d26b2f1adef2e527e6ea22876d8c5b8a40b037b3e07d06a75411d3dd4acb
Queueing: http://security.debian.org/dists/squeeze/updates/non-free/binary-i386/Packages
Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Hit http://ftp.us.debian.org squeeze-updates/contrib i386 Packages
99% [3 Packages bzip2 0 B] [Waiting for headers] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/main/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:14e9a18ec616cc37f12cdeeec18a174425c8d5db4e17e53f81308d99189e6329

Hit http://ftp.us.debian.org squeeze-updates/main i386 Packages
99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://security.debian.org/dists/squeeze/updates/main/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:9a4d69cc4792a78191af6b31b3f24080aa67339bc836a6d6a989278f9757f305

Hit http://security.debian.org squeeze/updates/main i386 Packages
99% [3 Packages bzip2 0 B]201 URI Done: http://security.debian.org/dists/squeeze/updates/contrib/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:f0f4d26b2f1adef2e527e6ea22876d8c5b8a40b037b3e07d06a75411d3dd4acb

Hit http://security.debian.org squeeze/updates/contrib i386 Packages
99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://security.debian.org/dists/squeeze/updates/non-free/binary-i386/Packages.bz2
RecivedHash:
ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Hit http://security.debian.org squeeze/updates/non-free i386 Packages
99% [3 Packages bzip2 0 B]201 URI Done: http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages.bz2
RecivedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece
ExpectedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece


http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages: Computed Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece  Expected Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece
Fetched 7,921 kB in 2s (3,491 kB/s)
Reading package lists... Done
Reply to:
References:
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Hamish Moffatt <hamish@debian.org>
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Michael Vogt <mvo@debian.org>
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Hamish Moffatt <hamish@debian.org>
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Michael Vogt <mvo@debian.org>
Prev by Date: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Next by Date: Bug#636292: MD5Sum mismatch is due to multiple DNS queries!
Previous by thread: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Next by thread: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Index(es):
- Date
- Thread