Christoph Anton Mitterer
2012-Mar-27 01:34 UTC
[Secure-testing-team] Bug#665921: apt: use all hashsums availble in secure APT
Package: apt Version: 0.8.15.10 Severity: important Tags: security Hi. I hope this isn''t a duplicate (with ~900 bugs, I may have overseen one ;-) ). APT uses hash sum verifications in many places (hopefully all). The files in /var/lib/apt/lists/ provide different kinds of hashsums (MD5, SHA*) in all "kinds" of files, Release, Packages and Sources. I made some simple tests, modifying these sums and doing actions. It seems that for different actions (I tried with apt-get "download" and "source"), different hashsums are looked at. E.g. for one of them it was "just" MD5, which is known to be quite weak now. May I suggest to do the following: Validate ALL available, and if only one of them fails, consider the verification to be failed. The above should be the default. Now for some people, verifying all of them might be to slow, so it could be nice to add a configuration option that lets users specify which (one to many) they PREFER(!) be calculated/verified. Again, the default should be that ALL must verify successfully (as it should never happen that this is not the case). That way people could specify "just the stronges" (e.g. SHA512) or just the weakest (e.g. MD5). If the specified algorithm was not available at all, it should fall back to the default and verify all available. If no hashsums were available at all, this should of course be considered a failure, too. Cheers, Chris.