From patchwork Mon Aug 24 13:09:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baptiste Jonglez X-Patchwork-Id: 1350368 X-Patchwork-Delegate: baptiste@bitsofnetworks.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bitsofnetworks.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=J0ssd+FY; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BZswP5yw0z9sRK for ; Mon, 24 Aug 2020 23:12:05 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=3h61D/4brURcnjYnXV168cTL4m57aYLh2r3MPYzLElA=; b=J0ssd+FYy5Xq7KaerHpXIxAvN tG/0JJfMWYDK1htwqRBcln8l/EJv5zJH3uQQfWGq4RW6uJZEQQBMlU51F4nuxQwvEHpjFazw7ZOnW etWbKCmj28wG6U9XrG/SmuodzUUEwyxzd3lGPC5knGhPtidXoCN40qO+GDNGZetxdmgeCoYScvLRo BmFme15aMB0e5gsNVKchA52Nf9vhW2/bjrszrt6052VXrMYysKSa9+QTD2GVtHFuGKIwr8z4zRJwO SaQFsm9CsYDI9Awm60slugKc70FrrybYuAKyRejHQgGRdWb0tAMCGsEYiStqdbR9NYe7bbaevyzMW Mt+PINjwQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kACEk-0007hG-II; Mon, 24 Aug 2020 13:10:10 +0000 Received: from mails.bitsofnetworks.org ([2001:912:1800:ff::131]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kACEi-0007gV-7k for openwrt-devel@lists.openwrt.org; Mon, 24 Aug 2020 13:10:09 +0000 Received: from [2001:912:1800::5c8] (helo=localhost.localdomain) by mails.bitsofnetworks.org with esmtp (Exim 4.89) (envelope-from ) id 1kACEh-0007Ud-6p; Mon, 24 Aug 2020 15:10:07 +0200 From: Baptiste Jonglez To: openwrt-devel@lists.openwrt.org Subject: [PATCH opkg v2] libopkg: harden checksum verification in error cases Date: Mon, 24 Aug 2020 15:09:59 +0200 Message-Id: <20200824130959.437942-1-baptiste@bitsofnetworks.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200824115220.436145-1-baptiste@bitsofnetworks.org> References: <20200824115220.436145-1-baptiste@bitsofnetworks.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200824_091008_471642_D8123C1F X-CRM114-Status: GOOD ( 17.08 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Baptiste Jonglez Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Baptiste Jonglez This should make it harder to exploit bugs such as CVE-2020-7982. If we can't compute the checksum of a package, we should abort. Similarly, if we can't find any checksum in the package index, this should yield an error. As an exception, installing a package directly from a file is allowed even if no checksum is found, because this is typically used without any package index. This can be useful when installing packages "manually" on a device, but is also done in several places during the OpenWrt build process. In any case, it is always possible to use the existing --force-checksum option to manually bypass these new verifications. Signed-off-by: Baptiste Jonglez --- v2: rebase to avoid depending on the other patch "libopkg: move file size check after checksum verification". libopkg/opkg_install.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c index 27c9484..18a2511 100644 --- a/libopkg/opkg_install.c +++ b/libopkg/opkg_install.c @@ -1395,6 +1395,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) pkg_md5 = pkg_get_md5(pkg); if (pkg_md5) { file_md5 = file_md5sum_alloc(local_filename); + if (!file_md5 && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to compute md5sum of package %s.\n", + pkg->name); + return -1; + } if (file_md5 && strcmp(file_md5, pkg_md5)) { if (!conf->force_checksum) { opkg_msg(ERROR, "Package %s md5sum mismatch. " @@ -1416,6 +1421,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) pkg_sha256 = pkg_get_sha256(pkg); if (pkg_sha256) { file_sha256 = file_sha256sum_alloc(local_filename); + if (!file_sha256 && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to compute sha256sum of package %s.\n", + pkg->name); + return -1; + } if (file_sha256 && strcmp(file_sha256, pkg_sha256)) { if (!conf->force_checksum) { opkg_msg(ERROR, @@ -1434,6 +1444,16 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) free(file_sha256); } + /* Check that at least one type of checksum was found. There are + * two acceptable exceptions: + * 1) the package is explicitly installed from a local file; + * 2) the --force-checksum option is used to disable checksum verification. */ + if (!pkg_md5 && !pkg_sha256 && !pkg->provided_by_hand && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to obtain checksum of package %s from package index.\n", + pkg->name); + return -1; + } + if (conf->download_only) { if (conf->nodeps == 0) { err = satisfy_dependencies_for(pkg);