Debian Bug report logs - #856213
cdebootstrap: SHA1 verification truncates hash from 160 to 128 bits

version graph

Package: src:cdebootstrap; Maintainer for src:cdebootstrap is Bastian Blank <waldi@debian.org>;

Reported by: Steven Chamberlain <steven@pyro.eu.org>

Date: Sun, 26 Feb 2017 16:42:02 UTC

Severity: grave

Tags: security

Found in version cdebootstrap/0.5.8

Fixed in version cdebootstrap/0.7.7

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Bastian Blank <waldi@debian.org>:
Bug#856213; Package src:cdebootstrap. (Sun, 26 Feb 2017 16:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Bastian Blank <waldi@debian.org>. (Sun, 26 Feb 2017 16:42:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>
To: submit@bugs.debian.org
Subject: cdebootstrap: SHA1 verification truncates hash from 160 to 128 bits
Date: Sun, 26 Feb 2017 16:39:53 +0000
[Message part 1 (text/plain, inline)]
Source: cdebootstrap
Version: 0.5.8
Severity: grave
Tags: security
X-Debbugs-Cc: security@debian.org
User: debian-release@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Control: block 856212 by -1

Hi,

cdebootstrap implemented in version 0.5.8 (2011) verification of the
Packages files using the SHA1 field of the Release file. That first
featured in the installer of the 'wheezy' release (2013).

But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte
hex string. cdebootstrap did not consider this, and so it would only
compare the first 32 bytes of the hex string against the expected value
(effectively truncating the SHA1 hash from 160 to only 128 bits): 

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L54

    if (item->sum[1])
      return check_sum (target, "sha256sum", item->sum[1], buf_name);
    ...
    if (!strncmp (buf, sum, 32))

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Added indication that bug 856213 blocks 856212 Request was from Steven Chamberlain <steven@pyro.eu.org> to submit@bugs.debian.org. (Sun, 26 Feb 2017 16:42:05 GMT) (full text, mbox, link).

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Sun, 05 Mar 2017 12:36:05 GMT) (full text, mbox, link).

Notification sent to Steven Chamberlain <steven@pyro.eu.org>:
Bug acknowledged by developer. (Sun, 05 Mar 2017 12:36:05 GMT) (full text, mbox, link).

Message #12 received at 856213-close@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>
To: 856213-close@bugs.debian.org
Subject: Bug#856213: fixed in cdebootstrap 0.7.7
Date: Sun, 05 Mar 2017 12:34:03 +0000
Source: cdebootstrap
Source-Version: 0.7.7

We believe that the bug you reported is fixed in the latest version of
cdebootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated cdebootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 05 Mar 2017 13:09:27 +0100
Source: cdebootstrap
Binary: cdebootstrap cdebootstrap-static
Architecture: source
Version: 0.7.7
Distribution: unstable
Urgency: medium
Maintainer: Bastian Blank <waldi@debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description:
 cdebootstrap - Bootstrap a Debian system
 cdebootstrap-static - Bootstrap a Debian system - static binary
Closes: 856212 856213 856215
Changes:
 cdebootstrap (0.7.7) unstable; urgency=medium
 .
   [ Steven Chamberlain ]
   * Implement SHA256 verification of .deb files.  (closes: #856212)
   * Implement SHA256 verification of Packages files.
     - Drop fall-back to MD5.  (closes: #856215)
   * Check full length of SHA256 digest.  (closes: #856213)
 .
   [ Bastian Blank ]
   * Build-depend against correct version of libdebian-installer4-dev.
Checksums-Sha1:
 0776bd9e57a39a6a2f3839b5c53bd19548fc52ba 1335 cdebootstrap_0.7.7.dsc
 a949547d4d300d76174a98e7e1c98be27d40d4b4 56320 cdebootstrap_0.7.7.tar.xz
 2c0cdfef6f26d7cf63deec4183d9696a5b9fe765 5260 cdebootstrap_0.7.7_source.buildinfo
Checksums-Sha256:
 2606f833421c8b4de6f1354ae2cde7f25636669092f1864d6e80788f3b2ea6a7 1335 cdebootstrap_0.7.7.dsc
 b298efa769e78fdf8830e1802fde9be4c7f0d54640a21953615dc4407de853b8 56320 cdebootstrap_0.7.7.tar.xz
 5a9ababd10131ae4e7c0de52b261b639f8a8d4da68fe687080372509030eabbb 5260 cdebootstrap_0.7.7_source.buildinfo
Files:
 1aec7fb5a440d4ca1184ee98d2f6532e 1335 admin optional cdebootstrap_0.7.7.dsc
 c4dbae708a90e8a224d6d5dd599e78ef 56320 admin optional cdebootstrap_0.7.7.tar.xz
 9d29928977a86a83fc7ba72bded3b911 5260 admin optional cdebootstrap_0.7.7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAli8ACEACgkQbZOIhYpp
/lH0uAf/W3Of39QSi+0yxMYPUV+FvDOmkX7UkDsjfn/kbpX9KRujfCu3iVr/FyKX
zqjxZHwbBIwWheskcBNuCpURNMzTVncKQawQ96FvBsxg3Gpep9DHPukywp4V/Icj
pYi/YHCA5CmjXdApCeWnj3KmEHbyu+x12L+QKvsAwrHIYhkNYDnG2GHYVpnJLVKA
cXTinY5UOf5kHDfTM1Dhb7gNoU3/19qIS445OwIYxXL9K+UbfanVWaCR9oBvpta8
gc79MwdHsQ16jKBJN2JZvcuozKgUBDJuMwASBM+DusOMwKOzbXJpa70dtrNo6a3d
DEaxP1jv4VkkosGZ6dCFCFQMSNQ6yw==
=dzdC
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:30:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jan 30 06:01:19 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.