[PATCH opkg] libopkg: harden checksum verification in error cases

Mon, 24 Aug 2020 04:57:38 -0700 

From: Baptiste Jonglez <g...@bitsofnetworks.org>

This should make it harder to exploit bugs such as CVE-2020-7982.

If we can't compute the checksum of a package, we should abort.

Similarly, if we can't find any checksum in the package index, this should
yield an error.

As an exception, installing a package directly from a file is allowed even
if no checksum is found, because this is typically used without any
package index.  This can be useful when installing packages "manually" on
a device, but is also done in several places during the OpenWrt build
process.

In any case, it is always possible to use the existing --force-checksum
option to manually bypass these new verifications.

Signed-off-by: Baptiste Jonglez <g...@bitsofnetworks.org>
---

Note: this won't apply cleanly without my earlier patch ("libopkg: move file
size check after checksum verification"), although the two patches are
functionally independent.

 libopkg/opkg_install.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c
index 183a1dc..2c92800 100644
--- a/libopkg/opkg_install.c
+++ b/libopkg/opkg_install.c
@@ -1371,6 +1371,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
        pkg_md5 = pkg_get_md5(pkg);
        if (pkg_md5) {
                file_md5 = file_md5sum_alloc(local_filename);
+               if (!file_md5 && !conf->force_checksum) {
+                       opkg_msg(ERROR, "Failed to compute md5sum of package 
%s.\n",
+                                pkg->name);
+                       return -1;
+               }
                if (file_md5 && strcmp(file_md5, pkg_md5)) {
                        if (!conf->force_checksum) {
                                opkg_msg(ERROR, "Package %s md5sum mismatch. "
@@ -1392,6 +1397,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
        pkg_sha256 = pkg_get_sha256(pkg);
        if (pkg_sha256) {
                file_sha256 = file_sha256sum_alloc(local_filename);
+               if (!file_sha256 && !conf->force_checksum) {
+                       opkg_msg(ERROR, "Failed to compute sha256sum of package 
%s.\n",
+                                pkg->name);
+                       return -1;
+               }
                if (file_sha256 && strcmp(file_sha256, pkg_sha256)) {
                        if (!conf->force_checksum) {
                                opkg_msg(ERROR,
@@ -1410,6 +1420,16 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
                        free(file_sha256);
        }
 
+       /* Check that at least one type of checksum was found.  There are
+        * two acceptable exceptions:
+        * 1) the package is explicitly installed from a local file;
+        * 2) the --force-checksum option is used to disable checksum 
verification. */
+       if (!pkg_md5 && !pkg_sha256 && !pkg->provided_by_hand && 
!conf->force_checksum) {
+               opkg_msg(ERROR, "Failed to obtain checksum of package %s from 
package index.\n",
+                        pkg->name);
+               return -1;
+       }
+
        /* Check file size */
        err = lstat(local_filename, &pkg_stat);
 
-- 
2.27.0


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to