Bug#636314: apt: Packages.bz2 checksum mismatch not detected

To: Hamish Moffatt <hamish@debian.org>
Cc: 636314@bugs.debian.org
Subject: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
From: Michael Vogt <mvo@debian.org>
Date: Fri, 5 Aug 2011 14:04:27 +0200
Message-id: <[🔎] 20110805120426.GE10369@localhost>
Reply-to: Michael Vogt <mvo@debian.org>, 636314@bugs.debian.org
In-reply-to: <[🔎] 20110805112315.GA12058@risingsoftware.com>
References: <[🔎] 20110802081418.28159.9767.reportbug@li154-67.members.linode.com> <[🔎] 20110805103217.GB25492@localhost> <[🔎] 20110805112315.GA12058@risingsoftware.com>

On Fri, Aug 05, 2011 at 07:23:15AM -0400, Hamish Moffatt wrote:
> On Fri, Aug 05, 2011 at 12:32:17PM +0200, Michael Vogt wrote:
> > On Tue, Aug 02, 2011 at 04:14:18AM -0400, Hamish Moffatt wrote:
> > > Package: apt
> > > Version: 0.8.10.3+squeeze1
> > > Severity: important
[..]
> > I can verify this for unsigned Release files, there is indeed no
> > hashsum verification in this case. I added a testcase and a fix to the
> > debian-sid branch. But I was not able to verify this for signed
> > Release files, I get correct errors in this case on apt-get update on
> > mismaches (I added a test for this as well to the testsuite to be
> > sure).
> 
> Thanks. By the way I found this problem in lucid originally and verified
> on squeeze before reporting it there.
> 
> However I am seeing the problem with what I believe is a correctly
> signed repository. For example the repository inside the tar I attached
> to the original report. I think the key for it is on keyserver.ubuntu.com.

Thanks for this additional information.

The test-bz2-hash-error.tar that is attached to the bug does not have
a Release.gpg file. With this unsigned archive there is indeed no
hashsum check.

> As a second dist, I copied down dists/ from a debian mirror, repacked a
> Packages.bz2 for main/binary-i386 to ensure the md5sum changed, then ran
> apt-get update against it. There was no error and apt-cache policy
> showed that apt considered the source valid.

I just did something similar, i wget Release and Release.gpg, then
binary-i386/Packages.bz2 into /var/www, modified its content and ran
apt-get update on a sources.list that points to http://localhost/ 

With both current trunk and the apt in squeeze I got the expected
"Hash Sum mismatch" error and no Packages file in /var/lib/apt/lists

If you can reproduce this, I would love to get the output of 
"apt-get update -o Debug::pkgAcquire::Auth=true" and steps how to
reproduce this. I'm also available on irc as "mvo" on oftc and
freenode for faster turnaround. As this report is quite concerning, I
would really like to get to the bottom of this as quickly as
possible.

One thing I can think of is that apt does not verify the content in
/var/lib/apt/lists again after it got downloaded, so if the Packages
file in there is modified locally, then apt will not catch that.

Thanks,
 Michael

Reply to:

Follow-Ups:
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Hamish Moffatt <hamish@debian.org>

References:
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Hamish Moffatt <hamish@debian.org>
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Michael Vogt <mvo@debian.org>
- Bug#636314: apt: Packages.bz2 checksum mismatch not detected
  - From: Hamish Moffatt <hamish@debian.org>

Prev by Date: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Next by Date: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Previous by thread: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Next by thread: Bug#636314: apt: Packages.bz2 checksum mismatch not detected
Index(es):
- Date
- Thread