On Fri, Jan 11, 2013 at 10:58:04PM -0000, Tyler Hicks wrote:
> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> While auditing some apt code, I noticed that apt-get download uses
> SHA-256 hashes even when SHA-512 hashes are available. From DoDownload()
> in cmdline/apt-get.cc:
>
> // get the most appropriate hash
> HashString hash;
> if (rec.SHA512Hash() != "")
> hash = HashString("sha512", rec.SHA512Hash());
> if (rec.SHA256Hash() != "")
> hash = HashString("sha256", rec.SHA256Hash());
> else if (rec.SHA1Hash() != "")
> hash = HashString("sha1", rec.SHA1Hash());
> else if (rec.MD5Hash() != "")
> hash = HashString("md5", rec.MD5Hash());
> // get the file
> new pkgAcqFile(&Fetcher, uri, hash.toStr(), (*Ver)->Size, descr,
> Pkg.Name(), ".");
>
> The conditional for rec.SHA256Hash() should use an else if statement.
Indeed, thanks for reporting. I attach a (trivial) bzr bundle for
this.
Cheers,
Michael
> ** Affects: apt (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to apt in
> Ubuntu.
> https://bugs.launchpad.net/bugs/1098752
>
> Title:
> apt-get download checks sha256 hashes when sha512 hashes are available
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1098752
Title:
apt-get download checks sha256 hashes when sha512 hashes are available
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
