On Fri, Jul 14, 2006 at 04:01:46AM +0200, Jakob Bohm wrote: > Package: apt > Version: 0.6.44.2 > Severity: critical > Tags: security patch > Justification: breaks the whole system
Thanks for your bugreport and your patch. I applied the patch and I added a test in tests/hashes.cc for the sha256 code. > The SHA256 checksums recently added to Packages files are wrong > due to a porting error when the sha256 implementation code was > imported from the Linux kernel sources to the apt source tree. > Specifically, the broken sha256 code checksums only 19 out of > every 64 bytes of input and otherwise computes a result which is > neither sha256(input) nor sha256(mangled input). > > According to the changelog, the broken code was added to > non-experimental apt in version 0.6.44 uploaded 8 May 2006 . > > This has the following severe consequences: > > - The broken hash values obviously do not provide anything > resembling the security needed by secure apt, a problem > compounded by the broken status of the other two hash > algorithms used (MD5 and SHA1). Thus the security tag. The current version of apt is not yet fully converted to use sha256. Currently we generate them in apt-ftparchive but they are not yet checked when the files are downloaded (only sha1/md5 is right now). There is a branch to fully do sha256 at http://people.ubuntu.com/~mvo/bzr/apt/sha256/ but it is not finished and there are several issues that needs to be resolved first. > - When the code is fixed to produce and check correct SHA256 > hashes, the fact that these values are different from the > broken values means that a correct apt will reject all Packages > files produced by a broken apt and a broken apt will reject all > Packages files produced by a correct apt. This means that > when such a new apt implementation is placed in the debian > archive, the whole system becomes impossible to install or > upgrade: [..] See above, this is not a issue right now. Cheers, Michael -- Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
