In the aftermath of https://shattered.it we looked at the usage of SHA1 in DebianInstaller and what we found was a debacle… (/Discussion page for this issue)

Tasks

Overview

Each official Debian release publishes a Release file, with a detached Release.gpg signature file to authenticate it. Packages files exist for each architecture (and for each component: main, contrib, non-free), but they do not have GnuPG signatures. Instead, the Release file contains checksums to authenticate each of the Packages files.

The 'woody' release (2002) was the first to publish SHA1 sums of Packages files in the Release file. Prior to that, only an MD5Sum field was present.

The 'etch' release (2007) also added a field for SHA256 sums. But to date, libdebian-installer does not parse it, so anna (which fetches .udeb installer component) and cdebootstrap (which fetches .deb base system packages a utility available in stretch, but not known to be used by the Debian installer) can not yet verify the SHA256 sums.

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L43

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L58

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/package.h/#L115

To date, anna still only implements MD5 verification of .udeb files, and cdebootstrap only implements MD5 verification of .deb files, despite its formal deprecation as a digital signature algorithm by RFC6151 (2011) and recommendations of academic literature years prior. The files are (for netboot installs,) typically downloaded via insecure HTTP transport, so the checksum verification is critical for the security of the installed system. Some install media bundles all of the needed .udeb files, so they are not downloaded, unless the archive has newer versions maybe?

https://tools.ietf.org/html/rfc6151#section-2

http://sources.debian.net/src/anna/1.57/anna.c/#L321

Note: the Packages list file is verified by net-retriever using SHA256, but .udeb files apparently not

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L61

cdebootstrap did however, in version 0.5.8 (2011) implement verification of the Packages files using the SHA1 field of the Release file. That first featured in the installer of the 'wheezy' release (2013). The Debian installer is not using cdebootstrap, at least not in stretch, jessie

But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte hex string. cdebootstrap did not consider this, and so it would only compare the first 32 bytes of the hex string against the expected value (effectively truncating the SHA1 hash from 160 to only 128 bits):

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L54 

  if (!strncmp (buf, sum, 32))

The current Debian 'testing' release - the upcoming 'stretch' release candidate - removed the SHA1 sums from the Release file. That was intended to deprecate it in favour of SHA256. An unintended consequence is that cdebootstrap, when SHA1 sums are unavailable, falls back to using only the MD5Sum field instead:

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L79 

  if (item->sum[1])
    return check_sum (target, "sha1sum", item->sum[1], buf_name);
  if (item->sum[0])
    return check_sum (target, "md5sum", item->sum[0], buf_name);

Edited to add: we missed an earlier chance to fix this when 615883 (fixed in sid) was reported (2011).

APT, the package manager used on already-installed systems, is not affected. SHA256 has already replaced SHA1 and MD5 there:

https://wiki.debian.org/Teams/Apt/Sha1Removal

Acknowledgements

Work on these issues began at the Berlin BSP, 2017-02. Many thanks to our hosts, Endocode AG!