Bug#775449: Provide sha size param instead of using environmental variable

Thu, 15 Jan 2015 11:58:27 -0800 

Package: debootstrap
Tags: security patch

I am not comfortable with allowing a SHA_SIZE environmental variable,
defined at some point prior to running debootstrap, to dictate the
security of checksum verification performed by debootstrap. I would much
prefer to see the default overridden only by an explicitly provided
parameter.

The patch attached implements this.

The patch:
 - Adds provision of a new --sha-size parameter for specifying the size
variant of the sha checksum binary to use.
 - Preserves the current default of 256.
 - Builds on top of my bug #775444 patch to replace the new 'sha binary
unavailable warning' with an error.
 - Removes the sha1 fallback, requiring users to explicitly specify
--sha-size=1 if they need sha1sum to be used.


commit cce61c7c3d89293506817df0dd6ee646b8d8092e
Author: jnqnfe <jnq...@gmail.com>
Date:   Thu Jan 15 19:38:44 2015 +0000

    Provide sha size param instead of using environmental variable

diff --git a/debootstrap b/debootstrap
index c383517..8d40818 100755
--- a/debootstrap
+++ b/debootstrap
@@ -46,6 +46,7 @@ VERBOSE=""
 CERTIFICATE=""
 CHECKCERTIF=""
 PRIVATEKEY=""
+SHA_SIZE=""
 
 DEF_MIRROR="http://ftp.us.debian.org/debian";
 DEF_HTTPS_MIRROR="https://mirrors.kernel.org/debian";
@@ -118,6 +119,8 @@ usage()
       --private-key=file     read the private key from file
       --certificate=file     use the client certificate stored in file (PEM)
       --no-check-certificate do not check certificate against certificate 
authorities
+      --sha-size=size        used for specifying which size variant of sha 
checksum to
+                             use in performing checksum verifications, default 
is 256
 EOF
 }
 
@@ -345,6 +348,17 @@ if [ $# != 0 ] ; then
                CHECKCERTIF="--no-check-certificate"
                shift
                ;;
+           --sha-size|--sha-size=?*)
+               if [ "$1" = "--sha-size" -a -n "$2" ]; then
+                       SHA_SIZE="--sha-size=$2"
+                       shift 2
+               elif [ "$1" != "${1#--sha-size=}" ]; then
+                       SHA_SIZE="--sha-size=${1#--sha-size=}"
+                       shift 1
+               else
+                      error 1 NEEDARG "option requires an argument %s" "$1"
+               fi
+               ;;
            --*)
                error 1 BADARG "unrecognized or invalid option %s" "$1"
                ;;
@@ -461,8 +475,7 @@ if [ -z "$SHA_SIZE" ]; then
        SHA_SIZE=256
 fi
 if ! in_path "sha${SHA_SIZE}sum" && ! in_path "sha${SHA_SIZE}"; then
-       warning SHA_SIZE "Cannot find binary for checking sha%s checksums, 
falling back to sha1" "${SHA_SIZE}"
-       SHA_SIZE=1
+       error 1 SHA_SIZE "Cannot find binary for checking sha%s checksums" 
"${SHA_SIZE}"
 fi
 DEBOOTSTRAP_CHECKSUM_FIELD="SHA$SHA_SIZE"

Reply via email to