Enforcing package source code integrity checks [Was: Re: Conclusions from CVE-2024-3094 (libxz disaster)]
Petr Štetiar
ynezz at true.cz
Fri Apr 5 00:58:08 PDT 2024
[removed openwrt-adm@ from the Cc: loop]
Petr Štetiar <ynezz at true.cz> [2024-04-01 14:49:46]:
> Perhaps this package source code integrity checks should be mandatory, not
> optional?
BTW I looked into this a bit and these are likely breakages caused by the
recent APK releated changes:
$ curl -s https://buildbot.openwrt.org/images/api/v2/logs/1157227/raw | grep Wrong
mdio-netlink-0~1.3.1.tar.xz: Wrong hash (probably caused by .gitattributes), expecting 97dfd25d8cdf5994eeb8cb0a5862c993b8aef373b280bca567d41d4113f494a9, got f72f170941430eb793902fc3f736839e362d53136bf0459aa98cd1b1152ad5e2
v4l2loopback-0~v0.12.7.tar.xz: Wrong hash (probably caused by .gitattributes), expecting e5e5d897bdaa7f2fb0b897e503cecaeee234fcdc7f2f138aae501ef742f5b2b2, got 09fcc9a66c820855136fae517c8102564eed7070dd07c272eb14bf2af9b536a3
usb-serial-xr_usb_serial_common-2023.03.21~90ad5301.tar.xz: Wrong hash (probably caused by .gitattributes), expecting 0cea56120542d3d546028d17389a3419ca930448005a9208728c40583ccf027d, got ca9e4f48a1a71e8d8e595ce8981a876d11a7d3d0f67b9e68c7825730f2f8756a
dahdi-linux-2023.09.21~1bb9088f.tar.xz: Wrong hash (probably caused by .gitattributes), expecting b32eb405d64c981f64922840f616cf362636ccc93506986c0b92bd4dcca5ab30, got ca88184419f85e87e9b8fd89132a0cf441625230f694954c9a3315247c4adc4a
yet we still seems to be happily producing binary packages with those
theoretically tainted sources.
My understanding of the situation:
1. tarball is downloaded from sources.openwrt.org, but the package hash
doesn't match (might be corrupted or malicious tarball)
2. tarball is deleted, Git clone is performed and source code tarball
recreated
3. [ here is the possible blind spot, tarball hash is not checked again,
although it should be ]
4. build continues using Git cloned source tree from 2., which in case of
PKG_SOURCE_VERSION being a Git tag is not trustworthy enough
How to approach that?
A. Add additional post Git clone hash check (implement 3. above) and fail the
build if the package hash still doesn't match.
B. Turn the current hash check warnings into errors by default, making it
opt-out via config option, so if you enjoy JiaTanning, then be our guest.
C. Forbid usage of Git tags in PKG_SOURCE_VERSION, but I find that a bit harsh.
D. Combination of the above
E. ?
Cheers,
Petr
More information about the openwrt-devel
mailing list