[Bug 1098752] Re: apt-get download checks sha256 hashes when sha512 hashes are available
Launchpad Bug Tracker
1098752 at bugs.launchpad.net
Wed Jul 10 20:07:55 UTC 2013
This bug was fixed in the package apt - 0.9.9.1~ubuntu1
---------------
apt (0.9.9.1~ubuntu1) saucy; urgency=low
* merged from the debian/sid branch:
- debian/gbp.conf: change build branch to ubuntu/master
- use ubuntu keyring and ubuntu archive keyring in apt-key
- run update-apt-xapian-index in apt.cron
- run apt-key net-update in cron.daily
- different example sources.list
- APT::pkgPackageManager::MaxLoopCount set to 5000
- apport pkgfailure handling
- ubuntu changelog download handling
- patch for apt cross-building, see http://bugs.debian.org/666772
- debian/apt.auto-removal.sh
+ make kernels auto-removable
apt (0.9.9.1) UNRELEASED; urgency=low
* debian/rules:
- call dh_clean in clean (closes: #714980)
apt (0.9.9) unstable; urgency=low
[ Michael Vogt ]
* improve debug output for the Debug::pkgProblemResolver and
Debug::pkgDepCache::AutoInstall
* improve apt-cdrom output when no CD-ROM can be auto-detected
* document --no-auto-detect in apt-cdrom
[ David Kalnischkies ]
* build the en manpages in subdirectory doc/en
* remove -ldl from cdrom and -lutil from apt-get linkage
* rewrite pkgOrderList::DepRemove to stop incorrect immediate setting
(Closes: 645713)
* prefer Essentials over Removals in ordering score
* fix priority sorting by prefering higher in MarkInstall
* try all providers in order if uninstallable in MarkInstall
* do unpacks before configures in SmartConfigure (Closes: #707578)
* fix support for multiple patterns in apt-cache search (Closes: #691453)
* set Fail flag in FileFd on all errors consistently
* don't explicitly init ExtractTar InFd with invalid fd
* OpenDescriptor should autoclose fd always on error (Closes: #704608)
* fail in CopyFile if the FileFds have error flag set
* ensure state-dir exists before coyping cdrom files
* fix file location for configure-index.gz in apt.conf(5) (Closes: #711921)
* handle missing "Description" in apt-cache show (Closes: #712435)
* try defaults if auto-detection failed in apt-cdrom (Closes: #712433)
* support \n and \r\n line endings in ReadMessages
* do not redownload unchanged InRelease files
* trigger NODATA error for invalid InRelease files (Closes: #712486)
apt (0.9.8.2) unstable; urgency=low
[ Programs translations ]
* French translation : typo fix. Closes: #677272
[ Guillem Jover ]
* Update Vcs fields (Closes: #708562)
[ Michael Vogt ]
* buildlib/apti18n.h.in:
- fix build failure when building without NLS (closes: #671587)
[ Gregoire Menuel ]
* Fix double free (closes: #711045)
[ Raphael Geissert ]
* Fix crash when the "mirror" method does not find any entry
(closes: #699303)
[ Johan Kiviniemi ]
* cmdline/apt-key:
- Create new keyrings with mode 0644 instead of 0600.
- Accept a nonexistent --keyring file with the adv subcommand as well.
apt (0.9.8.1) unstable; urgency=low
[ David Kalnischkies ]
* apt-pkg/indexcopy.cc:
- non-inline RunGPGV methods to restore ABI compatibility with previous
versions to fix partial upgrades (Closes: #707771)
[ Michael Vogt ]
* moved source to http://git.debian.org/apt/apt.git
* updated gbp.conf to match what bzr-buildpackage is doing
* remove .bzr-buildpackage/default.conf (superseeded by gbp.conf)
apt (0.9.8) unstable; urgency=low
[ Ludovico Cavedon ]
* properly handle if-modfied-since with libcurl/https
(closes: #705648)
[ Andreas Beckman ]
* apt-pkg/algorithms.cc:
- Do not propagate negative scores from rdepends. Propagating the absolute
value of a negative score may boost obsolete packages and keep them
installed instead of installing their successors. (Closes: #699759)
[ Michael Vogt ]
* apt-pkg/sourcelist.cc:
- fix segfault when a hostname contains a [, thanks to
Tzafrir Cohen (closes: #704653)
* debian/control:
- replace manpages-it (closes: #704723)
[ David Kalnischkies ]
* various simple changes to fix cppcheck warnings
* apt-pkg/pkgcachegen.cc:
- do not store the MD5Sum for every description language variant as
it will be the same for all so it can be shared to save cache space
- handle language tags for descriptions are unique strings to be shared
- factor version string creation out of NewDepends, so we can easily reuse
version strings e.g. for implicit multi-arch dependencies
- equal comparisions are used mostly in same-source relations,
so use this to try to reuse some version strings
- sort group and package names in the hashtable on insert
- share version strings between same versions (of different architectures)
to save some space and allow quick comparisions later on
* apt-pkg/pkgcache.cc:
- assume sorted hashtable entries for groups/packages
* apt-pkg/cacheiterators.h:
- provide DepIterator::IsSatisfied as a nicer shorthand for DepCheck
* apt-pkg/deb/debversion.cc:
- add a string-equal shortcut for equal version comparisions
[ Marc Deslauriers ]
* make apt-ftparchive generate missing deb-src hashes (LP: #1078697)
[ Yaroslav Halchenko ]
* Fix English spelling error in a message ('A error'). Unfuzzy
translations. Closes: #705087
[ Programs translations ]
* French translation completed (Christian Perrier)
[ Manpages translations ]
* French translation completed (Christian Perrier)
[ Daniel Hartwig ]
* apt-pkg/contrib/strutl.cc:
- include port in shortened URIs (e.g. with apt-cache policy, progress
display) thanks to James McCoy (Closes: #154868, #322074)
- percent-encode username and password when writing URIs
* methods/http.cc:
- properly escape IP-literals (e.g. IPv6 address) when building
Host headers and URIs (Closes: #620344)
* methods/https.cc:
- use https_proxy environment variable if present, falling back to
http_proxy otherwise
- use authentication credentials from proxy URI
(Closes: #651640, LP: #1087512)
- environment variables do not override an explicit no proxy
directive ("DIRECT") in apt.conf
- disregard all_proxy environment variable, like other methods
apt (0.9.7.9~exp3) experimental; urgency=low
[ Michael Vogt ]
* apt-pkg/sourcelist.cc:
- fix segfault when a hostname contains a [, thanks to
Tzafrir Cohen (closes: #704653)
* debian/control:
- replace manpages-it (closes: #704723)
[ David Kalnischkies ]
* various simple changes to fix cppcheck warnings
* apt-pkg/pkgcachegen.cc:
- do not store the MD5Sum for every description language variant as
it will be the same for all so it can be shared to save cache space
- handle language tags for descriptions are unique strings to be shared
- factor version string creation out of NewDepends, so we can easily reuse
version strings e.g. for implicit multi-arch dependencies
- equal comparisions are used mostly in same-source relations,
so use this to try to reuse some version strings
- sort group and package names in the hashtable on insert
- share version strings between same versions (of different architectures)
to save some space and allow quick comparisions later on
* apt-pkg/pkgcache.cc:
- assume sorted hashtable entries for groups/packages
* apt-pkg/cacheiterators.h:
- provide DepIterator::IsSatisfied as a nicer shorthand for DepCheck
* apt-pkg/deb/debversion.cc:
- add a string-equal shortcut for equal version comparisions
[ Marc Deslauriers ]
* make apt-ftparchive generate missing deb-src hashes (LP: #1078697)
[ Yaroslav Halchenko ]
* Fix English spelling error in a message ('A error'). Unfuzzy
translations. Closes: #705087
[ Programs translations ]
* French translation completed (Christian Perrier)
[ Manpages translations ]
* French translation completed (Christian Perrier)
[ Daniel Hartwig ]
* apt-pkg/contrib/strutl.cc:
- include port in shortened URIs (e.g. with apt-cache policy, progress
display) thanks to James McCoy (Closes: #154868, #322074)
- percent-encode username and password when writing URIs
* methods/http.cc:
- properly escape IP-literals (e.g. IPv6 address) when building
Host headers and URIs (Closes: #620344)
* methods/https.cc:
- use https_proxy environment variable if present, falling back to
http_proxy otherwise
- use authentication credentials from proxy URI
(Closes: #651640, LP: #1087512)
- environment variables do not override an explicit no proxy
directive ("DIRECT") in apt.conf
- disregard all_proxy environment variable, like other methods
apt (0.9.7.9~exp2) experimental; urgency=low
[ Programs translations ]
* Update all PO files and apt-all.pot
* French translation completed (Christian Perrier)
[ Daniel Hartwig ]
* cmdline/apt-get.cc:
- do not have space between "-a" and option when cross building
(closes: #703792)
* test/integration/test-apt-get-download:
- fix test now that #1098752 is fixed
* po/{ca,cs,ru}.po:
- fix merge artifact
[ David Kalnischkies ]
* apt-pkg/indexcopy.cc:
- rename RunGPGV to ExecGPGV and move it to apt-pkg/contrib/gpgv.cc
* apt-pkg/contrib/gpgv.cc:
- ExecGPGV is a method which should never return, so mark it as such
and fix the inconsistency of returning in error cases
- don't close stdout/stderr if it is also the statusfd
- if ExecGPGV deals with a clear-signed file it will split this file
into data and signatures, pass it to gpgv for verification
- add method to open (maybe) clearsigned files transparently
* apt-pkg/acquire-item.cc:
- keep the last good InRelease file around just as we do it with
Release.gpg in case the new one we download isn't good for us
* apt-pkg/deb/debmetaindex.cc:
- reenable InRelease by default
* ftparchive/writer.cc,
apt-pkg/deb/debindexfile.cc,
apt-pkg/deb/deblistparser.cc:
- use OpenMaybeClearSignedFile to be free from detecting and
skipping clearsigning metadata in dsc and Release files
[ Michael Vogt ]
* add regression test for CVE-2013-1051
* implement GPGSplit() based on the idea from Ansgar Burchardt
(many thanks!)
* methods/connect.cc:
- use Errno() instead of strerror(), thanks to David Kalnischk
* doc/apt.conf.5.xml:
- document Acquire::ForceIPv{4,6}
apt (0.9.7.9~exp1) experimental; urgency=low
[ Niels Thykier ]
* test/libapt/assert.h, test/libapt/run-tests:
- exit with status 1 on test failure
[ Daniel Hartwig ]
* test/integration/framework:
- continue after test failure but preserve exit status
[ Programs translation updates ]
* Turkish (Mert Dirik). Closes: #703526
[ Colin Watson ]
* methods/connect.cc:
- provide useful error message in case of EAI_SYSTEM
(closes: #703603)
[ Michael Vogt ]
* add new config options "Acquire::ForceIPv4" and
"Acquire::ForceIPv6" to allow focing one or the other
(closes: #611891)
* lp:~mvo/apt/fix-tagfile-hash:
- fix false positives in pkgTagSection.Exists(), thanks to
Niels Thykier for the testcase (closes: #703240)
- this will require rebuilds of the clients as this used to
be a inline function
apt (0.9.7.8) unstable; urgency=criticial
* SECURITY UPDATE: InRelease verification bypass
- CVE-2013-1051
[ David Kalnischk ]
* apt-pkg/deb/debmetaindex.cc,
test/integration/test-bug-595691-empty-and-broken-archive-files,
test/integration/test-releasefile-verification:
- disable InRelease downloading until the verification issue is
fixed, thanks to Ansgar Burchardt for finding the flaw
apt (0.9.7.8~exp2) experimental; urgency=low
* include two missing patches to really fix bug #696225, thanks to
Guillem Jover
* ensure sha512 is really used when available, thanks to Tyler Hicks
(LP: #1098752)
apt (0.9.7.8~exp1) experimental; urgency=low
[ Manpages translation updates ]
* Italian (Beatrice Torracca). Closes: #696601
[ Programs translation updates ]
* Japanese (Kenshi Muto). Closes: #699783
[ Michael Vogt ]
* fix pkgProblemResolver::Scores, thanks to Paul Wise.
Closes: #697577
* fix missing translated apt.8 manpages, thanks to Helge Kreutzmann
for the report. Closes: #696923
* apt-pkg/contrib/progress.cc:
- Make "..." translatable to fix inconsistencies in the output
of e.g. apt-get update. While this adds new translatable strings,
not having translations for them will not break anything.
Thanks to Guillem Jover. Closes: #696225
* debian/apt.cron.daily:
- when reading from /dev/urandom, use less entropy and fix a rare
bug when the random number chksum is less than 1000.
Closes: #695285
* methods/https.cc:
- reuse connection in https, thanks to Thomas Bushnell, BSG for the
patch. LP: #1087543, Closes: #695359
- add missing curl_easy_cleanup()
* methods/http.cc:
- quote spaces in filenames to ensure as the http method is also
(potentially) used for non deb,dsc content that may contain
spaces, thanks to Daniel Hartwig and Thomas Bushnell
(LP: #1086997)
- quote plus in filenames to work around a bug in the S3 server
(LP: #1003633)
* apt-pkg/indexrecords.cc:
- support '\r' in the Release file
[ David Kalnischkies ]
* apt-pkg/depcache.cc:
- prefer to install packages which have an already installed M-A:same
sibling while choosing providers (LP: #1130419)
-- Michael Vogt <michael.vogt at ubuntu.com> Wed, 10 Jul 2013 17:03:52 +0200
** Changed in: apt (Ubuntu)
Status: In Progress => Fix Released
** Bug watch added: Debian Bug tracker #666772
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666772
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1051
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1098752
Title:
apt-get download checks sha256 hashes when sha512 hashes are available
Status in “apt” package in Ubuntu:
Fix Released
Bug description:
While auditing some apt code, I noticed that apt-get download uses
SHA-256 hashes even when SHA-512 hashes are available. From
DoDownload() in cmdline/apt-get.cc:
// get the most appropriate hash
HashString hash;
if (rec.SHA512Hash() != "")
hash = HashString("sha512", rec.SHA512Hash());
if (rec.SHA256Hash() != "")
hash = HashString("sha256", rec.SHA256Hash());
else if (rec.SHA1Hash() != "")
hash = HashString("sha1", rec.SHA1Hash());
else if (rec.MD5Hash() != "")
hash = HashString("md5", rec.MD5Hash());
// get the file
new pkgAcqFile(&Fetcher, uri, hash.toStr(), (*Ver)->Size, descr, Pkg.Name(), ".");
The conditional for rec.SHA256Hash() should use an else if statement.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions
More information about the foundations-bugs
mailing list