Debian Bug report logs -
#856215
cdebootstrap: since SHA1 removal from Release file, only MD5sums are used
Reported by: Steven Chamberlain <steven@pyro.eu.org>
Date: Sun, 26 Feb 2017 16:45:04 UTC
Severity: grave
Tags: security, sid, stretch
Found in version cdebootstrap/0.5.8
Fixed in version cdebootstrap/0.7.7
Done: Bastian Blank <waldi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, security@debian.org, Bastian Blank <waldi@debian.org>:
Bug#856215; Package src:cdebootstrap.
(Sun, 26 Feb 2017 16:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <steven@pyro.eu.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Bastian Blank <waldi@debian.org>.
(Sun, 26 Feb 2017 16:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: cdebootstrap
Version: 0.5.8
Severity: grave
Tags: security stretch sid
X-Debbugs-Cc: security@debian.org
User: debian-release@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Hi,
The current Debian 'testing' release - the upcoming 'stretch' release
candidate - removed the SHA1 sums from the Release file. That was
intended to deprecate it in favour of SHA256. An unintended consequence
is that cdebootstrap, when SHA1 sums are unavailable, falls back to
using only the MD5Sum field instead:
http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L79
if (item->sum[1])
return check_sum (target, "sha1sum", item->sum[1], buf_name);
if (item->sum[0])
return check_sum (target, "md5sum", item->sum[0], buf_name);
Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Bastian Blank <waldi@debian.org>:
You have taken responsibility.
(Sun, 05 Mar 2017 12:36:07 GMT) (full text, mbox, link).
Notification sent
to Steven Chamberlain <steven@pyro.eu.org>:
Bug acknowledged by developer.
(Sun, 05 Mar 2017 12:36:07 GMT) (full text, mbox, link).
Message #10 received at 856215-close@bugs.debian.org (full text, mbox, reply):
Source: cdebootstrap
Source-Version: 0.7.7
We believe that the bug you reported is fixed in the latest version of
cdebootstrap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856215@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated cdebootstrap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 05 Mar 2017 13:09:27 +0100
Source: cdebootstrap
Binary: cdebootstrap cdebootstrap-static
Architecture: source
Version: 0.7.7
Distribution: unstable
Urgency: medium
Maintainer: Bastian Blank <waldi@debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description:
cdebootstrap - Bootstrap a Debian system
cdebootstrap-static - Bootstrap a Debian system - static binary
Closes: 856212 856213 856215
Changes:
cdebootstrap (0.7.7) unstable; urgency=medium
.
[ Steven Chamberlain ]
* Implement SHA256 verification of .deb files. (closes: #856212)
* Implement SHA256 verification of Packages files.
- Drop fall-back to MD5. (closes: #856215)
* Check full length of SHA256 digest. (closes: #856213)
.
[ Bastian Blank ]
* Build-depend against correct version of libdebian-installer4-dev.
Checksums-Sha1:
0776bd9e57a39a6a2f3839b5c53bd19548fc52ba 1335 cdebootstrap_0.7.7.dsc
a949547d4d300d76174a98e7e1c98be27d40d4b4 56320 cdebootstrap_0.7.7.tar.xz
2c0cdfef6f26d7cf63deec4183d9696a5b9fe765 5260 cdebootstrap_0.7.7_source.buildinfo
Checksums-Sha256:
2606f833421c8b4de6f1354ae2cde7f25636669092f1864d6e80788f3b2ea6a7 1335 cdebootstrap_0.7.7.dsc
b298efa769e78fdf8830e1802fde9be4c7f0d54640a21953615dc4407de853b8 56320 cdebootstrap_0.7.7.tar.xz
5a9ababd10131ae4e7c0de52b261b639f8a8d4da68fe687080372509030eabbb 5260 cdebootstrap_0.7.7_source.buildinfo
Files:
1aec7fb5a440d4ca1184ee98d2f6532e 1335 admin optional cdebootstrap_0.7.7.dsc
c4dbae708a90e8a224d6d5dd599e78ef 56320 admin optional cdebootstrap_0.7.7.tar.xz
9d29928977a86a83fc7ba72bded3b911 5260 admin optional cdebootstrap_0.7.7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAli8ACEACgkQbZOIhYpp
/lH0uAf/W3Of39QSi+0yxMYPUV+FvDOmkX7UkDsjfn/kbpX9KRujfCu3iVr/FyKX
zqjxZHwbBIwWheskcBNuCpURNMzTVncKQawQ96FvBsxg3Gpep9DHPukywp4V/Icj
pYi/YHCA5CmjXdApCeWnj3KmEHbyu+x12L+QKvsAwrHIYhkNYDnG2GHYVpnJLVKA
cXTinY5UOf5kHDfTM1Dhb7gNoU3/19qIS445OwIYxXL9K+UbfanVWaCR9oBvpta8
gc79MwdHsQ16jKBJN2JZvcuozKgUBDJuMwASBM+DusOMwKOzbXJpa70dtrNo6a3d
DEaxP1jv4VkkosGZ6dCFCFQMSNQ6yw==
=dzdC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Apr 2017 07:25:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jan 30 06:01:15 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.