[Bug 1098752] [NEW] apt-get download checks sha256 hashes when sha512 hashes are available

Michael Vogt michaelvogt at imap.cc
Mon Jan 14 05:36:14 UTC 2013 

On Fri, Jan 11, 2013 at 10:58:04PM -0000, Tyler Hicks wrote:
> *** This bug is a security vulnerability ***
> 
> Public security bug reported:
> 
> While auditing some apt code, I noticed that apt-get download uses
> SHA-256 hashes even when SHA-512 hashes are available. From DoDownload()
> in cmdline/apt-get.cc:
> 
>       // get the most appropriate hash
>       HashString hash;
>       if (rec.SHA512Hash() != "")
>          hash = HashString("sha512", rec.SHA512Hash());
>       if (rec.SHA256Hash() != "")
>          hash = HashString("sha256", rec.SHA256Hash());
>       else if (rec.SHA1Hash() != "")
>          hash = HashString("sha1", rec.SHA1Hash());
>       else if (rec.MD5Hash() != "")
>          hash = HashString("md5", rec.MD5Hash());
>       // get the file
>       new pkgAcqFile(&Fetcher, uri, hash.toStr(), (*Ver)->Size, descr, Pkg.Name(), ".");
> 
> The conditional for rec.SHA256Hash() should use an else if statement.

Indeed, thanks for reporting. I attach a (trivial) bzr bundle for
this.

Cheers,
 Michael
 
> ** Affects: apt (Ubuntu)
>      Importance: Undecided
>          Status: New
> 
> -- 
> You received this bug notification because you are subscribed to apt in
> Ubuntu.
> https://bugs.launchpad.net/bugs/1098752
> 
> Title:
>   apt-get download checks sha256 hashes when sha512 hashes are available
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1098752

Title:
  apt-get download checks sha256 hashes when sha512 hashes are available

Status in “apt” package in Ubuntu:
  New

Bug description:
  While auditing some apt code, I noticed that apt-get download uses
  SHA-256 hashes even when SHA-512 hashes are available. From
  DoDownload() in cmdline/apt-get.cc:

        // get the most appropriate hash
        HashString hash;
        if (rec.SHA512Hash() != "")
           hash = HashString("sha512", rec.SHA512Hash());
        if (rec.SHA256Hash() != "")
           hash = HashString("sha256", rec.SHA256Hash());
        else if (rec.SHA1Hash() != "")
           hash = HashString("sha1", rec.SHA1Hash());
        else if (rec.MD5Hash() != "")
           hash = HashString("md5", rec.MD5Hash());
        // get the file
        new pkgAcqFile(&Fetcher, uri, hash.toStr(), (*Ver)->Size, descr, Pkg.Name(), ".");

  The conditional for rec.SHA256Hash() should use an else if statement.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions

More information about the foundations-bugs mailing list