click packages supply only DEBIAN/md5sums, but should also supply stronger hashes

Bug #1214485 reported by Jamie Strandboge on 2013-08-20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
click (Ubuntu)

Bug Description

click packages provide DEBIAN/md5sums. When the package is signed, this is fine to guard against the package being modified without the developer knowing because altering files within the package results in the signature failing to verify.

However, a malicious developer is able to upload a signed package with altered files. We can verify the md5sums automatically to make sure they are in sync, but because MD5 is vulnerable to hash collisions, we can't be 100% sure the files didn't change. This isn't a problem with click or the appstore in and of itself at this time because I don't think DEBIAN/md5sums is being used for change detection, but if we start to rely on the sums in DEBIAN/md5sums for change detection between click package uploads, then we will need to use a stronger hashing algorithm.

Related branches

tags: added: appstore
Changed in click (Ubuntu):
importance: Undecided → Medium
Colin Watson (cjwatson) on 2013-08-27
Changed in click (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers