python-apt uses MD5 for validation

Bug #1858972 reported by Seth Arnold on 2020-01-09
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-apt (Ubuntu)
Undecided
Unassigned

Bug Description

Only MD5 is checked (most versions)

In stable releases, and unstable, they only check MD5 sums of the files they download. 1.9.0 was broken as it still refered to the md5 field, but the field went away, so it would raise an exception if you tried to use it - so that's safe :D

experimental (1.9.1) checks all hash sums, but only if some are present - it would happily accept an empty list of hashes - 1.9.2 will fix this issue by checking that the list of hashes is "usable", as it's called in apt, completing the proper fix.

The only versions not affected by this are the ones in Ubuntu eoan and focal, as they hardcoded SHA256 instead of MD5 as a workaround to code failing because MD5 went away.

CVE References

Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :

All diffs have passed CI, and local autopkgtest.

Julian Andres Klode (juliank) wrote :

On upload, it would be great if the version in the tarball dirname matches the version of the upload. I have .dsc that do so, but if you just apply the debdiff to the release version and run dpkg-source/buildpackage you end up with the old version number inside the tarball.

Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :

Patches for precise and trusty. The precise one does not have autopkgtest, but CI passed (and runs the same test cases), so that's something.

Also, all test cases run during build anyway.

Julian Andres Klode (juliank) wrote :

Please note that this requires patching aptdaemon across all releases, I have provided such a patch in bug 1858973 - as aptdaemon is only affected by that one.

The Breaks: aptdaemon have been bumped according to what the new aptdaemon versions with the patch applied will be, so that installing this update cannot break your aptdaemon use cases.

Julian Andres Klode (juliank) wrote :

Oh, the precise and trusty ones currently also require SHA256 unless allow_unauthenticated has been passed which is stronger than apt-get does. Probably should remove that check, so it's consistent with apt.

Hi @juliank,

Can I use these debdiff for precise and trusty or will you do any changes on it?

Thanks!

Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.9.0ubuntu1.2

---------------
python-apt (1.9.0ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 16:35:02 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.1.0~beta1ubuntu0.16.04.7

---------------
python-apt (1.1.0~beta1ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu14.2), as it will have
      to set that parameter after having done validation.
  * Necessary backports:
    - turn elements in apt_pkg.SourceRecords.files into a class, rather than
      a tuple (w/ legacy compat), so we can get to their hashes
    - add apt_pkg.HashStringList
    - add apt_pkg.Hashes.hashes
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 17:14:05 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.6.5ubuntu0.1

---------------
python-apt (1.6.5ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu21.2), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 17:01:17 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.8.5~ubuntu0.2

---------------
python-apt (1.8.5~ubuntu0.2) disco-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu21.2), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update
  * Backport to disco:
    - Compile with -fno-lto on Ubuntu to workaround compiler bugs in disco

 -- Julian Andres Klode <email address hidden> Wed, 15 Jan 2020 16:41:00 +0100

Changed in python-apt (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie) on 2020-01-31
summary: - placeholder
+ python-apt uses MD5 for validation
description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers