| 2020-08-02 16:57:32 |
Andrew |
description |
This is a really weird bug that is happening on Ubuntu 20.04 LTS (Live ISO!!!) and Kali 2020.2, but not Debian 10 (so, it affects at least apt 2.0.2ubuntu0.1 and does not affect 1.8.2.1). It also only occurs on a single PC (as far as I know). All testing was done in Virtualbox and moving VM's to another PC fixed issue (without changing anything inside the VM).
On running "apt update", there is an error "Hash Sum mismatch" which shows that SHA1 and SHA256 hashes differ from expected (while MD5 and file size is correct). E.g.:
Hash Sum mismatch
Hashes of expected file:
- Filesize:314536 [weak]
- SHA256:aa1c6c96b09a0c695dc475d99b407c675e564fbfe51b3e26230c6320b45666d0
- SHA1:4f438d7e0c78dfb0486f86dc0a3dba30575eb617 [weak]
- MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
Hashes of received file:
- SHA256:f47a968e7a10aff91df8b1d3f682ce11d161ff1b17056268b9ae1c10447523b2
- SHA1:2839e062232ed234d0c04e60fe6b2a687c950e5b [weak]
- MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
- Filesize:314536 [weak]
I ran packet capture and extracted archives which are getting verified. All of their hashes are correct (exactly as expected).
It seems that calculating SHA1 and SHA256 the way APT does it produces wrong result, while running command line tools sha1sum and sha256sum (on the same PC inside the same VM) produces correct result.
I wrote the minimal reproducible example (hashtest.cc) that produces output such as this:
Calculating hashes same way apt does.
- MD5Sum:c89b13b76197d0d554400e00e46c0740
- SHA1:f6901a4486e69a1f503401daa02b520f1b0e22ba
- SHA256:9075301b3961aca23b69bf2868a18dca184b383a0ec1de35516f0a8a182c2cb6
- SHA512:7506f6f5c5d5e97f8c6ecac2489e7d6260002bd530370c6193a04620f94285dca0f5cf2bb9ead40afbd72fdf3a239349a57f81165b5b857af6ad7ddeab8da036
- Checksum-FileSize:892549
Calculating hashes through command line tools.
- md5sum: c89b13b76197d0d554400e00e46c0740
- sha1sum: f6901a4486e69a1f503401daa02b520f1b0e22ba
- sha256sum: 9075301b3961aca23b69bf2868a18dca184b383a0ec1de35516f0a8a182c2cb6
- sha512sum: 7506f6f5c5d5e97f8c6ecac2489e7d6260002bd530370c6193a04620f94285dca0f5cf2bb9ead40afbd72fdf3a239349a57f81165b5b857af6ad7ddeab8da036
It's in the attachment alongside with an example file that causes this hash mismatch. There's also debug.log which contains various versions, etc (although as I said, it has been verified on latest Ubuntu Live ISO).
I have a suspicion that the bug is in the gcrypt library, not apt itself, but I haven't yet verified it. The libgcrypt20 version in Ubuntu is 1.8.5-5ubuntu1 (in Kali as well), while Debian 10 (which isn't affected) uses 1.8.4-5. |
This is a really weird bug that is happening on Ubuntu 20.04 LTS (Live ISO!!!) and Kali 2020.2, but not Debian 10 (so, it affects at least apt 2.0.2ubuntu0.1 and does not affect 1.8.2.1). It also only occurs on a single PC (as far as I know). All testing was done in Virtualbox and moving VM's to another PC fixed issue (without changing anything inside the VM).
On running "apt update", there is an error "Hash Sum mismatch" which shows that SHA1 and SHA256 hashes differ from expected (while MD5 and file size is correct). E.g.:
Hash Sum mismatch
Hashes of expected file:
- Filesize:314536 [weak]
- SHA256:aa1c6c96b09a0c695dc475d99b407c675e564fbfe51b3e26230c6320b45666d0
- SHA1:4f438d7e0c78dfb0486f86dc0a3dba30575eb617 [weak]
- MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
Hashes of received file:
- SHA256:f47a968e7a10aff91df8b1d3f682ce11d161ff1b17056268b9ae1c10447523b2
- SHA1:2839e062232ed234d0c04e60fe6b2a687c950e5b [weak]
- MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
- Filesize:314536 [weak]
I ran packet capture and extracted archives which are getting verified. All of their hashes are correct (exactly as expected).
It seems that calculating SHA1 and SHA256 the way APT does it produces wrong result, while running command line tools sha1sum and sha256sum (on the same PC inside the same VM) produces correct result.
I wrote the minimal reproducible example (hashtest.cc) that produces output such as this:
Calculating hashes same way apt does.
- MD5Sum:c89b13b76197d0d554400e00e46c0740
- SHA1:f6901a4486e69a1f503401daa02b520f1b0e22ba
- SHA256:9075301b3961aca23b69bf2868a18dca184b383a0ec1de35516f0a8a182c2cb6
- SHA512:7506f6f5c5d5e97f8c6ecac2489e7d6260002bd530370c6193a04620f94285dca0f5cf2bb9ead40afbd72fdf3a239349a57f81165b5b857af6ad7ddeab8da036
- Checksum-FileSize:892549
Calculating hashes through command line tools.
- md5sum: c89b13b76197d0d554400e00e46c0740
- sha1sum: f6901a4486e69a1f503401daa02b520f1b0e22ba
- sha256sum: 9075301b3961aca23b69bf2868a18dca184b383a0ec1de35516f0a8a182c2cb6
- sha512sum: 7506f6f5c5d5e97f8c6ecac2489e7d6260002bd530370c6193a04620f94285dca0f5cf2bb9ead40afbd72fdf3a239349a57f81165b5b857af6ad7ddeab8da036
It's in the attachment alongside with an example file that causes this hash mismatch. There's also debug.log which contains various versions, etc (although as I said, it has been verified on latest Ubuntu Live ISO).
I have a suspicion that the bug is in the gcrypt library, not apt itself, but I haven't yet verified it. The libgcrypt20 version in Ubuntu is 1.8.5-5ubuntu1 (in Kali as well), while Debian 10 (which isn't affected) uses 1.8.4-5.
---
ProblemType: Bug
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckMismatches: ./casper/filesystem.squashfs
CasperMD5CheckResult: fail
CasperVersion: 1.445
DistroRelease: Ubuntu 20.04
LiveMediaBuild: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
Package: apt 2.0.2
PackageArchitecture: amd64
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 5.4.0-26.30-generic 5.4.30
Tags: focal
Uname: Linux 5.4.0-26-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
_MarkForUpload: True |
|
