Debian Bug report logs - #856211
anna: please implement SHA256 verification of .udeb files

Package: src:anna; Maintainer for src:anna is Debian Install System Team <debian-boot@lists.debian.org>;

Reported by: Steven Chamberlain <steven@pyro.eu.org>

Date: Sun, 26 Feb 2017 16:33:01 UTC

Severity: grave

Tags: patch, security

Found in versions anna/1.57, anna/1.56

Fixed in version anna/1.58

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#856211; Package src:anna. (Sun, 26 Feb 2017 16:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Debian Install System Team <debian-boot@lists.debian.org>. (Sun, 26 Feb 2017 16:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Source: anna
Version: 1.57
Severity: grave
Tags: security
X-Debbugs-Cc: security@debian.org
User: debian-release@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Control: block -1 by 856210

Hi,

To date, anna still only implements MD5 verification of .udeb files,
despite its formal deprecation as a digital signature algorithm by
RFC6151 (2011) and recommendations of academic literature years prior.

The files are typically downloaded via insecure HTTP transport, so the
checksum verification is critical for the security of the installed
system.  stretch is expected to be a supported release until 2022.  So
I'm tentatively filing this bug as RC-severity.

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Added blocking bug(s) of 856211: 856210 Request was from Steven Chamberlain <steven@pyro.eu.org> to submit@bugs.debian.org. (Sun, 26 Feb 2017 16:33:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#856211; Package src:anna. (Mon, 27 Feb 2017 03:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 27 Feb 2017 03:24:03 GMT) (full text, mbox, link).

Message #12 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Steven Chamberlain <steven@pyro.eu.org> (2017-02-26):
> To date, anna still only implements MD5 verification of .udeb files,
> despite its formal deprecation as a digital signature algorithm by
> RFC6151 (2011) and recommendations of academic literature years prior.
> 
> The files are typically downloaded via insecure HTTP transport, so the
> checksum verification is critical for the security of the installed
> system.  stretch is expected to be a supported release until 2022.  So
> I'm tentatively filing this bug as RC-severity.
> 
> Further context and an overview of related bugs will be published at:
> https://wiki.debian.org/InstallerDebacle

AFAICT net-retriever does the fetching and checking work?


KiBi.

[signature.asc (application/pgp-signature, inline)]

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 27 Feb 2017 11:39:04 GMT) (full text, mbox, link).

Message #17 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello!

Cyril Brulebois wrote:
> AFAICT net-retriever does the fetching and checking work?

Mayyybe...

Although with 
http://ftp.de.debian.org/debian/dists/testing/main/installer-i386/20170127/images/netboot/mini.iso
I observed md5sum and sha256sum only being executed as indicated in the
attached log.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[checksum.log (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

Steven Chamberlain <steven@pyro.eu.org> (2017-02-27):
> Cyril Brulebois wrote:
> > AFAICT net-retriever does the fetching and checking work?
> 
> Mayyybe...
> 
> Although with 
> http://ftp.de.debian.org/debian/dists/testing/main/installer-i386/20170127/images/netboot/mini.iso
> I observed md5sum and sha256sum only being executed as indicated in the
> attached log.

So we're only checking newer checksums for Packages files (against what's in
Release files, bad bad bad us indeed. IIRC MD5sum field was kept (as in: added
back) because debian-cd needs it at the moment, which partly explains why this
wasn't fixed earlier.

I'm not sure whether this exists already (be it for the whole distribution or
for d-i specifically), but referencing places where stuff like parsing happens
(Release, Packages, etc.), and where checkums are used, would help figure out
what to change when the list of supported fields/checksums are updated. Might
be another way to leverage this whole debacle thing.

KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Cyril Brulebois wrote:
> IIRC MD5sum field was kept (as in: added
> back) because debian-cd needs it at the moment, which partly explains why this
> wasn't fixed earlier.

I think backward-compatibility would have been okay as long as *either*:

  * the archive published Release files with old+new hash algorithms; or
  * the utilities consuming it, supported the old/new hash algorithms;

but here we had done both of those things, which allowed for a downgrade
to go unnoticed.

I think right now it is easier to fix anna+cdebootstrap than debian-cd?

> but referencing places where stuff like parsing happens
> (Release, Packages, etc.), and where checkums are used,

Yesss, but only if someone updated that documentation with what the code
is doing.  Removal of SHA1 in Relases had an action-at-a-distance effect
on cdebootstrap, so it wouldn't be clear that the documentation needed
to change then.

In the ideal world, the code itself would be the clear, authoritative
reference of what it is doing.  I wish that we can remove all references
to md5 and sha1 there.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi,

Attached is a minimal patch intended to implement SHA256 verification.
It would depend on libdebian-installer being patched first (#856210) and
bumping the soname to 5.

"#define SHA256_HEX_LENGTH 64" is made explicit as possible so that one
remembers to increase it if changing SHA256 to SHA512 in the future.  A
more thorough rework of this code might store the hash type (as an enum)
and length, in the di_package struct instead.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Steven Chamberlain <steven@pyro.eu.org> to 856211-submit@bugs.debian.org. (Mon, 27 Feb 2017 15:24:03 GMT) (full text, mbox, link).

Message #39 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Steven Chamberlain wrote:
> Attached is [...]

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[anna_bug856211_v1.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#856211; Package src:anna. (Tue, 28 Feb 2017 15:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Tue, 28 Feb 2017 15:45:05 GMT) (full text, mbox, link).

Message #44 received at 856211@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Updated patch, which assumes the libdebian-installer4-dev package will
not be renamed.  Build-Depend on a recent enough version that provides
sha256 fields.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[anna_bug856211_v2.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions anna/1.56. Request was from Adrian Bunk <bunk@debian.org> to control@bugs.debian.org. (Thu, 02 Mar 2017 18:42:03 GMT) (full text, mbox, link).

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Sun, 05 Mar 2017 11:51:03 GMT) (full text, mbox, link).

Notification sent to Steven Chamberlain <steven@pyro.eu.org>:
Bug acknowledged by developer. (Sun, 05 Mar 2017 11:51:03 GMT) (full text, mbox, link).

Message #51 received at 856211-close@bugs.debian.org (full text, mbox, reply):

Source: anna
Source-Version: 1.58

We believe that the bug you reported is fixed in the latest version of
anna, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856211@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated anna package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 05 Mar 2017 12:26:20 +0100
Source: anna
Binary: anna
Architecture: source
Version: 1.58
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description:
 anna       - anna's not nearly apt, but for the Debian installer, it will do (udeb)
Closes: 856211
Changes:
 anna (1.58) unstable; urgency=medium
 .
   [ Bastian Blank ]
   * Build-depend against new enough version of libdebian-installer4-dev.
 .
   [ Steven Chamberlain ]
   * Use SHA256 for verification.  (closes: #856211)
Checksums-Sha1:
 c05e62195a4eda6f09edbd958550041af2ded22c 1318 anna_1.58.dsc
 76d4cbe202faa4d426b773323e2c951874c03e6f 89468 anna_1.58.tar.xz
 b25849dfcc3fdae496018d75125c1c7fa8cb959f 5034 anna_1.58_source.buildinfo
Checksums-Sha256:
 34fa403bf6efd85f860334af2b61e14e9382b9cc556ea69e7f88553f64f1d83c 1318 anna_1.58.dsc
 aa0e064ef0487fcc3b5adaac3e12d35df8149e7e0a6a7a5300e4064d782e98cc 89468 anna_1.58.tar.xz
 e216b0c591fef37cdb5dd11534dc7cf8fd18797706a3f5fe520e01deac7c82aa 5034 anna_1.58_source.buildinfo
Files:
 5636e687f1ef5671da967b9549eef47e 1318 debian-installer standard anna_1.58.dsc
 d9711e8f89bb6e5c43fbb659aecf4076 89468 debian-installer standard anna_1.58.tar.xz
 561f0d9be43e570bc57ffbf9793418d5 5034 debian-installer standard anna_1.58_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAli79h0ACgkQbZOIhYpp
/lHodAgAkHywc3nxxsJbzUPAFNoG50n9u0ouVFQpG/+n1cu6WskZX12nWEDtc2ec
7FehgOHBwuGWVIq3u8gn/fshWdXDPB2zW/lxMCKUUG5K1Drr7oIr7HY/dJu1CFuL
TmMU1Oc5TCxsrohksqQiCWStn1fFcWigkYbb7XTXWknzDrOZtig7+CU1pLRasQGd
KTOwgf+GgVAqTd4cYo5XJPPQZzDDpFC9hWHCk/Q8schNKil+Lm3dEKfcPQ5Mad9v
yenjPo7T9yOXoRg2Iy7kjOSv42OtZYuIVPsEbm0YJaYpTZpMw51CloVWC9FsWMBI
AB838NWB8LGMoypncGA1jY2TQeE85g==
=LOmw
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 03 Apr 2017 07:25:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jan 30 06:00:02 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #856211 anna: please implement SHA256 verification of .udeb files

Debian Bug report logs - #856211
anna: please implement SHA256 verification of .udeb files