file bugs against the affected Debian packages
submit patches, begin testing
discuss with d-i and release teams how to handle this for stretch
- discuss how to handle this in older stable releases
- check how any derivatives might be affected
- register domain name for the bug, produce logo and merchandise
Each official Debian release publishes a Release file, with a detached Release.gpg signature file to authenticate it. Packages files exist for each architecture (and for each component: main, contrib, non-free), but they do not have GnuPG signatures. Instead, the Release file contains checksums to authenticate each of the Packages files.
The 'woody' release (2002) was the first to publish SHA1 sums of Packages files in the Release file. Prior to that, only an MD5Sum field was present.
The 'etch' release (2007) also added a field for SHA256 sums. But to date, libdebian-installer does not parse it, so anna (which fetches .udeb installer component) and cdebootstrap (which fetches .deb base system packages a utility available in stretch, but not known to be used by the Debian installer) can not yet verify the SHA256 sums.
856210 in libdebian-installer: (fixed in sid)
- please parse SHA256 field and add it to di_* structs
To date, anna still only implements MD5 verification of .udeb files, and cdebootstrap only implements MD5 verification of .deb files, despite its formal deprecation as a digital signature algorithm by RFC6151 (2011) and recommendations of academic literature years prior. The files are (for netboot installs,) typically downloaded via insecure HTTP transport, so the checksum verification is critical for the security of the installed system. Some install media bundles all of the needed .udeb files, so they are not downloaded, unless the archive has newer versions maybe?
856211 in anna: (fixed in sid)
- please implement SHA256 verification of .udeb files
Note: the Packages list file is verified by net-retriever using SHA256, but .udeb files apparently not
856212 in cdebootstrap: (fixed in sid)
- please implement SHA256 verification of .deb files
cdebootstrap did however, in version 0.5.8 (2011) implement verification of the Packages files using the SHA1 field of the Release file. That first featured in the installer of the 'wheezy' release (2013). The Debian installer is not using cdebootstrap, at least not in stretch, jessie
But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte hex string. cdebootstrap did not consider this, and so it would only compare the first 32 bytes of the hex string against the expected value (effectively truncating the SHA1 hash from 160 to only 128 bits):
if (!strncmp (buf, sum, 32))
856213 in cdebootstrap: (fixed in sid)
- SHA1 verification truncates hash from 160 to 128 bits
The current Debian 'testing' release - the upcoming 'stretch' release candidate - removed the SHA1 sums from the Release file. That was intended to deprecate it in favour of SHA256. An unintended consequence is that cdebootstrap, when SHA1 sums are unavailable, falls back to using only the MD5Sum field instead:
if (item->sum) return check_sum (target, "sha1sum", item->sum, buf_name); if (item->sum) return check_sum (target, "md5sum", item->sum, buf_name);
856215 in cdebootstrap: (fixed in sid)
- since SHA1 removal from Release file, only MD5sums are used
Edited to add: we missed an earlier chance to fix this when 615883 (fixed in sid) was reported (2011).
APT, the package manager used on already-installed systems, is not affected. SHA256 has already replaced SHA1 and MD5 there:
Work on these issues began at the Berlin BSP, 2017-02. Many thanks to our hosts, Endocode AG!