git.openwrt.org Git - project/opkg-lede.git/commit

author	Alexander Ryzhov <github@ryzhov-al.ru>
	Sun, 13 Sep 2020 12:42:56 +0000 (14:42 +0200)
committer	Baptiste Jonglez <git@bitsofnetworks.org>
	Sun, 31 Jan 2021 09:58:05 +0000 (10:58 +0100)
commit	c5dccea956b8be14eabf6ff69b331a3e9ac36749
tree	338cd6ab52b3d473924601a5e6afed436b7dba51	tree \| snapshot
parent	7cad0c0bda62dc2a151a5e52aa237eda40c76060	commit \| diff

libopkg: fix md5sum calculation

This regression prevents MD5 checksums from being checked. Packages are
still installed, but this raises several issues:

- if only MD5 checksums are provided in the package list, it is trivial
  for an attacker to modify the content of a package, since checksum
  verification is bypassed. If both MD5 and SHA256 checksums are
  provided, then SHA256 is correctly verified and the attack is not
  possible.

- future efforts to harden checksum verification would prevent package
  installation.

Note that OpenWrt has switched to SHA256 for all its packages several
years ago. As a result, this bug does not affect OpenWrt packages from the
official package feeds.

However, custom package repositories that only use MD5 are affected.

Initially submitted at https://github.com/openwrt/openwrt/pull/3087

Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation,
unconditionally enable sha256 support")

Signed-off-by: Alexander Ryzhov <github@ryzhov-al.ru>
[Add commit description]
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
(cherry picked from commit 66f458decf9fd2839d77bf420e93d9c78025488a)