[Bug 1214485] [NEW] click packages supply only DEBIAN/md5sums, but should also supply stronger hashes

Jamie Strandboge jamie at ubuntu.com
Tue Aug 20 17:01:25 UTC 2013 

Public bug reported:

click packages provide DEBIAN/md5sums. When the package is signed, this
is fine to guard against the package being modified without the
developer knowing because altering files within the package results in
the signature failing to verify.

However, a malicious developer is able to upload a signed package with
altered files. We can verify the md5sums automatically to make sure they
are in sync, but because MD5 is vulnerable to hash collisions, we can't
be 100% sure the files didn't change. This isn't a problem with click or
the appstore in and of itself at this time because I don't think
DEBIAN/md5sums is being used for change detection, but if we start to
rely on the sums in DEBIAN/md5sums for change detection between click
package uploads, then we will need to use a stronger hashing algorithm.

** Affects: click (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1214485

Title:
  click packages supply only DEBIAN/md5sums, but should also supply
  stronger hashes

Status in “click” package in Ubuntu:
  New

Bug description:
  click packages provide DEBIAN/md5sums. When the package is signed,
  this is fine to guard against the package being modified without the
  developer knowing because altering files within the package results in
  the signature failing to verify.

  However, a malicious developer is able to upload a signed package with
  altered files. We can verify the md5sums automatically to make sure
  they are in sync, but because MD5 is vulnerable to hash collisions, we
  can't be 100% sure the files didn't change. This isn't a problem with
  click or the appstore in and of itself at this time because I don't
  think DEBIAN/md5sums is being used for change detection, but if we
  start to rely on the sums in DEBIAN/md5sums for change detection
  between click package uploads, then we will need to use a stronger
  hashing algorithm.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1214485/+subscriptions

More information about the foundations-bugs mailing list