Source: cdebootstrap Version: 0.5.8 Severity: grave Tags: security X-Debbugs-Cc: secur...@debian.org User: debian-rele...@lists.debian.org Usertags: bsp-2017-02-de-Berlin Control: block 856212 by -1
Hi, cdebootstrap implemented in version 0.5.8 (2011) verification of the Packages files using the SHA1 field of the Release file. That first featured in the installer of the 'wheezy' release (2013). But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte hex string. cdebootstrap did not consider this, and so it would only compare the first 32 bytes of the hex string against the expected value (effectively truncating the SHA1 hash from 160 to only 128 bits): http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L54 if (item->sum[1]) return check_sum (target, "sha256sum", item->sum[1], buf_name); ... if (!strncmp (buf, sum, 32)) Further context and an overview of related bugs will be published at: https://wiki.debian.org/InstallerDebacle Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
signature.asc
Description: Digital signature
