Differences between revisions 4 and 5
Revision 4 as of 2017-02-26 16:41:46
Size: 4151
Comment: fix quoted source code
Revision 5 as of 2017-02-26 16:47:55
Size: 4155
Comment: bug numbers
Deletions are marked like this. Additions are marked like this.
Line 71: Line 71:
  * Debian Bug #XXXXXX in cdebootstrap:   * [[DebianBug:856213]] in cdebootstrap:
Line 89: Line 89:
  * Debian Bug #XXXXXX in cdebootstrap:   * [[DebianBug:856215]] in cdebootstrap:

In the aftermath of https://shattered.it we look at the usage of sha1 in DebianInstaller and what we found was a debacle…

Tasks

  • file bugs against the affected Debian packages
  • submit patches, begin testing
  • discuss with d-i and release teams how to handle this for stretch
  • discuss how to handle this in older stable releases
  • register domain name for the bug, produce logo and merchandise

Overview

Each official Debian release publishes a Release file, with a detached Release.gpg signature file to authenticate it. Packages files exist for each architecture (and for each component: main, contrib, non-free), but they do not have GnuPG signatures. Instead, the Release file contains checksums to authenticate each of the Packages files.

The 'woody' release (2002) was the first to publish SHA1 sums of Packages files in the Release file. Prior to that, only an MD5Sum field was present.

The 'etch' release (2007) also added a field for SHA256 sums. But to date, libdebian-installer does not parse it, so anna (which fetches .udeb installer component) and cdebootstrap (which fetches .deb base system packages) can not yet verify the SHA256 sums.

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L43

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L58

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/package.h/#L115

  • 856210 in libdebian-installer:

    • please parse SHA256 field and add it to di_* structs

To date, anna still only implements MD5 verification of .udeb files, and cdebootstrap only implements MD5 verification of .deb files, despite its formal deprecation as a digital signature algorithm by RFC6151 (2011) and recommendations of academic literature years prior. The files are typically downloaded via insecure HTTP transport, so the checksum verification is critical for the security of the installed system.

https://tools.ietf.org/html/rfc6151#section-2

http://sources.debian.net/src/anna/1.57/anna.c/#L321

  • 856211 in anna:

    • please implement SHA256 verification of .udeb files

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L61

  • 856212 in cdebootstrap:

    • please implement SHA256 verification of .deb files

cdebootstrap did however, in version 0.5.8 (2011) implement verification of the Packages files using the SHA1 field of the Release file. That first featured in the installer of the 'wheezy' release (2013).

But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte hex string. cdebootstrap did not consider this, and so it would only compare the first 32 bytes of the hex string against the expected value (effectively truncating the SHA1 hash from 160 to only 128 bits):

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L54

  if (!strncmp (buf, sum, 32))
  • 856213 in cdebootstrap:

    • SHA1 verification truncates hash from 160 to 128 bits

The current Debian 'testing' release - the upcoming 'stretch' release candidate - removed the SHA1 sums from the Release file. That was intended to deprecate it in favour of SHA256. An unintended consequence is that cdebootstrap, when SHA1 sums are unavailable, falls back to using only the MD5Sum field instead:

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L79

  if (item->sum[1])
    return check_sum (target, "sha1sum", item->sum[1], buf_name);
  if (item->sum[0])
    return check_sum (target, "md5sum", item->sum[0], buf_name);
  • 856215 in cdebootstrap:

    • since SHA1 removal from Release file, only MD5sums are used

APT, the package manager used on an already-installed system, is not affected. SHA256 has already replaced SHA1 and MD5 there:

https://wiki.debian.org/Teams/Apt/Sha1Removal

Acknowledgements

Work on these issues began at the Berlin BSP, 2017-02. Many thanks to our hosts, Endocode AG!