On 24-08-20, Baptiste Jonglez wrote: > From: Baptiste Jonglez <g...@bitsofnetworks.org> > > This should make it harder to exploit bugs such as CVE-2020-7982. > > If we can't compute the checksum of a package, we should abort. > > Similarly, if we can't find any checksum in the package index, this should > yield an error. > > As an exception, installing a package directly from a file is allowed even > if no checksum is found, because this is typically used without any > package index. This can be useful when installing packages "manually" on > a device, but is also done in several places during the OpenWrt build > process. > > In any case, it is always possible to use the existing --force-checksum > option to manually bypass these new verifications.
It seems that I missed a use-case: installing a package directly from an
URL, like this:
opkg install http://example.com/pkg.ipk
It will now fail because no checksum is found in a package index.
One way would be to also enable the "provided_by_hand" flag in this case,
just like it is already done when installing from a file (e.g. opkg install
/tmp/foo.ipk)
It seems this could change dependency resolution, that's apparently the
purpose of the "provided_by_hand" flag according to a comment:
Adding this flag, to "force" opkg to choose a "provided_by_hand"
package, if there are multiple choice
Is it fine? Any other idea?
Baptiste
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
