[Bug 1214485] [NEW] click packages supply only DEBIAN/md5sums, but should also supply stronger hashes
Jamie Strandboge
jamie at ubuntu.com
Tue Aug 20 17:01:25 UTC 2013
Public bug reported:
click packages provide DEBIAN/md5sums. When the package is signed, this
is fine to guard against the package being modified without the
developer knowing because altering files within the package results in
the signature failing to verify.
However, a malicious developer is able to upload a signed package with
altered files. We can verify the md5sums automatically to make sure they
are in sync, but because MD5 is vulnerable to hash collisions, we can't
be 100% sure the files didn't change. This isn't a problem with click or
the appstore in and of itself at this time because I don't think
DEBIAN/md5sums is being used for change detection, but if we start to
rely on the sums in DEBIAN/md5sums for change detection between click
package uploads, then we will need to use a stronger hashing algorithm.
** Affects: click (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1214485
Title:
click packages supply only DEBIAN/md5sums, but should also supply
stronger hashes
Status in “click” package in Ubuntu:
New
Bug description:
click packages provide DEBIAN/md5sums. When the package is signed,
this is fine to guard against the package being modified without the
developer knowing because altering files within the package results in
the signature failing to verify.
However, a malicious developer is able to upload a signed package with
altered files. We can verify the md5sums automatically to make sure
they are in sync, but because MD5 is vulnerable to hash collisions, we
can't be 100% sure the files didn't change. This isn't a problem with
click or the appstore in and of itself at this time because I don't
think DEBIAN/md5sums is being used for change detection, but if we
start to rely on the sums in DEBIAN/md5sums for change detection
between click package uploads, then we will need to use a stronger
hashing algorithm.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1214485/+subscriptions
More information about the foundations-bugs
mailing list