[PATCH opkg v2] libopkg: harden checksum verification in error cases
Baptiste Jonglez
baptiste at bitsofnetworks.org
Mon Aug 24 13:26:22 EDT 2020
On 24-08-20, Baptiste Jonglez wrote:
> From: Baptiste Jonglez <git at bitsofnetworks.org>
>
> This should make it harder to exploit bugs such as CVE-2020-7982.
>
> If we can't compute the checksum of a package, we should abort.
>
> Similarly, if we can't find any checksum in the package index, this should
> yield an error.
>
> As an exception, installing a package directly from a file is allowed even
> if no checksum is found, because this is typically used without any
> package index. This can be useful when installing packages "manually" on
> a device, but is also done in several places during the OpenWrt build
> process.
>
> In any case, it is always possible to use the existing --force-checksum
> option to manually bypass these new verifications.
It seems that I missed a use-case: installing a package directly from an
URL, like this:
opkg install http://example.com/pkg.ipk
It will now fail because no checksum is found in a package index.
One way would be to also enable the "provided_by_hand" flag in this case,
just like it is already done when installing from a file (e.g. opkg install /tmp/foo.ipk)
It seems this could change dependency resolution, that's apparently the
purpose of the "provided_by_hand" flag according to a comment:
Adding this flag, to "force" opkg to choose a "provided_by_hand"
package, if there are multiple choice
Is it fine? Any other idea?
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200824/0af996c0/attachment.sig>
More information about the openwrt-devel
mailing list