Ubuntu
python-apt package

python-apt uses MD5 for validation

Bug #1858972 reported by Seth Arnold
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-apt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Only MD5 is checked (most versions)

In stable releases, and unstable, they only check MD5 sums of the files they download. 1.9.0 was broken as it still refered to the md5 field, but the field went away, so it would raise an exception if you tried to use it - so that's safe :D

experimental (1.9.1) checks all hash sums, but only if some are present - it would happily accept an empty list of hashes - 1.9.2 will fix this issue by checking that the list of hashes is "usable", as it's called in apt, completing the proper fix.

The only versions not affected by this are the ones in Ubuntu eoan and focal, as they hardcoded SHA256 instead of MD5 as a workaround to code failing because MD5 went away.

See original description

CVE References

Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

All diffs have passed CI, and local autopkgtest.

Revision history for this message
Julian Andres Klode (juliank) wrote :

On upload, it would be great if the version in the tarball dirname matches the version of the upload. I have .dsc that do so, but if you just apply the debdiff to the release version and run dpkg-source/buildpackage you end up with the old version number inside the tarball.

Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

Patches for precise and trusty. The precise one does not have autopkgtest, but CI passed (and runs the same test cases), so that's something.

Also, all test cases run during build anyway.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Please note that this requires patching aptdaemon across all releases, I have provided such a patch in bug 1858973 - as aptdaemon is only affected by that one.

The Breaks: aptdaemon have been bumped according to what the new aptdaemon versions with the patch applied will be, so that installing this update cannot break your aptdaemon use cases.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Oh, the precise and trusty ones currently also require SHA256 unless allow_unauthenticated has been passed which is stronger than apt-get does. Probably should remove that check, so it's consistent with apt.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi @juliank,

Can I use these debdiff for precise and trusty or will you do any changes on it?

Thanks!

Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.9.0ubuntu1.2

---------------
python-apt (1.9.0ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 16:35:02 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.1.0~beta1ubuntu0.16.04.7

---------------
python-apt (1.1.0~beta1ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu14.2), as it will have
      to set that parameter after having done validation.
  * Necessary backports:
    - turn elements in apt_pkg.SourceRecords.files into a class, rather than
      a tuple (w/ legacy compat), so we can get to their hashes
    - add apt_pkg.HashStringList
    - add apt_pkg.Hashes.hashes
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 17:14:05 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.6.5ubuntu0.1

---------------
python-apt (1.6.5ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu21.2), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 17:01:17 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.8.5~ubuntu0.2

---------------
python-apt (1.8.5~ubuntu0.2) disco-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu21.2), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update
  * Backport to disco:
    - Compile with -fno-lto on Ubuntu to workaround compiler bugs in disco

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 16:41:00 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie)
summary: - placeholder
+ python-apt uses MD5 for validation
description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.