[PATCH opkg v2] libopkg: harden checksum verification in error cases

Baptiste Jonglez baptiste at bitsofnetworks.org
Mon Aug 24 13:26:22 EDT 2020


On 24-08-20, Baptiste Jonglez wrote:
> From: Baptiste Jonglez <git at bitsofnetworks.org>
> 
> This should make it harder to exploit bugs such as CVE-2020-7982.
> 
> If we can't compute the checksum of a package, we should abort.
> 
> Similarly, if we can't find any checksum in the package index, this should
> yield an error.
> 
> As an exception, installing a package directly from a file is allowed even
> if no checksum is found, because this is typically used without any
> package index.  This can be useful when installing packages "manually" on
> a device, but is also done in several places during the OpenWrt build
> process.
> 
> In any case, it is always possible to use the existing --force-checksum
> option to manually bypass these new verifications.

It seems that I missed a use-case: installing a package directly from an
URL, like this:

    opkg install http://example.com/pkg.ipk

It will now fail because no checksum is found in a package index.

One way would be to also enable the "provided_by_hand" flag in this case,
just like it is already done when installing from a file (e.g. opkg install /tmp/foo.ipk)

It seems this could change dependency resolution, that's apparently the
purpose of the "provided_by_hand" flag according to a comment:

    Adding this flag, to "force" opkg to choose a "provided_by_hand"
    package, if there are multiple choice

Is it fine?  Any other idea?

Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200824/0af996c0/attachment.sig>


More information about the openwrt-devel mailing list