From: Baptiste Jonglez <g...@bitsofnetworks.org> This should make it harder to exploit bugs such as CVE-2020-7982.
If we can't compute the checksum of a package, we should abort. Similarly, if we can't find any checksum in the package index, this should yield an error. As an exception, installing a package directly from a file is allowed even if no checksum is found, because this is typically used without any package index. This can be useful when installing packages "manually" on a device, but is also done in several places during the OpenWrt build process. In any case, it is always possible to use the existing --force-checksum option to manually bypass these new verifications. Signed-off-by: Baptiste Jonglez <g...@bitsofnetworks.org> --- Note: this won't apply cleanly without my earlier patch ("libopkg: move file size check after checksum verification"), although the two patches are functionally independent. libopkg/opkg_install.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c index 183a1dc..2c92800 100644 --- a/libopkg/opkg_install.c +++ b/libopkg/opkg_install.c @@ -1371,6 +1371,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) pkg_md5 = pkg_get_md5(pkg); if (pkg_md5) { file_md5 = file_md5sum_alloc(local_filename); + if (!file_md5 && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to compute md5sum of package %s.\n", + pkg->name); + return -1; + } if (file_md5 && strcmp(file_md5, pkg_md5)) { if (!conf->force_checksum) { opkg_msg(ERROR, "Package %s md5sum mismatch. " @@ -1392,6 +1397,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) pkg_sha256 = pkg_get_sha256(pkg); if (pkg_sha256) { file_sha256 = file_sha256sum_alloc(local_filename); + if (!file_sha256 && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to compute sha256sum of package %s.\n", + pkg->name); + return -1; + } if (file_sha256 && strcmp(file_sha256, pkg_sha256)) { if (!conf->force_checksum) { opkg_msg(ERROR, @@ -1410,6 +1420,16 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade) free(file_sha256); } + /* Check that at least one type of checksum was found. There are + * two acceptable exceptions: + * 1) the package is explicitly installed from a local file; + * 2) the --force-checksum option is used to disable checksum verification. */ + if (!pkg_md5 && !pkg_sha256 && !pkg->provided_by_hand && !conf->force_checksum) { + opkg_msg(ERROR, "Failed to obtain checksum of package %s from package index.\n", + pkg->name); + return -1; + } + /* Check file size */ err = lstat(local_filename, &pkg_stat); -- 2.27.0 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel