Bug#665921: apt: use all hashsums availble in secure APT
Package: apt
Version: 0.8.15.10
Severity: important
Tags: security
Hi.
I hope this isn't a duplicate (with ~900 bugs, I may have overseen one ;-) ).
APT uses hash sum verifications in many places (hopefully all).
The files in /var/lib/apt/lists/ provide different kinds of hashsums (MD5, SHA*)
in all "kinds" of files, Release, Packages and Sources.
I made some simple tests, modifying these sums and doing actions.
It seems that for different actions (I tried with apt-get "download" and "source"),
different hashsums are looked at.
E.g. for one of them it was "just" MD5, which is known to be quite weak now.
May I suggest to do the following:
Validate ALL available, and if only one of them fails, consider the verification
to be failed.
The above should be the default.
Now for some people, verifying all of them might be to slow, so it could be nice
to add a configuration option that lets users specify which (one to many) they
PREFER(!) be calculated/verified.
Again, the default should be that ALL must verify successfully (as it should never
happen that this is not the case).
That way people could specify "just the stronges" (e.g. SHA512) or just the weakest
(e.g. MD5).
If the specified algorithm was not available at all, it should fall back to the
default and verify all available.
If no hashsums were available at all, this should of course be considered a
failure, too.
Cheers,
Chris.
Reply to: