Bug 10204

Summary: rpm5 fails to verify package digest if one of available digests is MD5
Product: [ROSA-based products] ROSA Fresh Reporter: Dmitry Mikhirev <mikhirev>
Component: Preinstalled software in the ISOAssignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: alzim, m.novosyolov
Priority: Normal    
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: --- ROSA Vulnerability identifier:
RPM Package: Upstream:
Attachments: Sample package with MD5 digest

Description Dmitry Mikhirev 2019-10-08 15:32:43 MSK 
Created attachment 5218 [details]
Sample package with MD5 digest

rpm5 reports that the package is broken if it contains a correct MD5 digest.

    $ rpm -v --checksig --nosignature drweb-workstations-11.1.1-1907111349linux.x86_64.rpm 
    drweb-workstations-11.1.1-1907111349linux.x86_64.rpm:
        Заголовок SHA1 digest: OK (1a2cd947d8cc0499d5bb6573bd9d047e89513767)
        MD5 digest: BAD Expected(85980e3a909a9b7462f64ec342abc0d500) != (85980e3a909a9b7462f64ec342abc0d5)

Note extra two zeroes in the end of the expected digest value.

This bug leads to impossibility to install such a package from a remote repository, because URPM checks digests after download. E. g. none package can be installed from this repo: https://repo.drweb.com/drweb/linux/11.1/x86_64/
Comment 1 Mikhail Novosyolov 2019-10-09 01:24:07 MSK 
Проблема не воспроизводится с родными для Росы пакетами, собранными непосредственно в RPM5:

rosa-2016 ~ # rpm -v --checksig --nosignature /var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm
/var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm:
    Заголовок SHA1 digest: OK (9664f3e65b593f0a91abd53652af873c0e5a6d5c)
    MD5 digest: OK (9af5f516b7a9958030162d3fe92422ad)

RPM4 (на Ubuntu) действительно считает MD5 правильным:
user@pay2:/tmp$ rpm -v --checksig --nosignature drweb-statd-11.1.1-1907111244linux.x86_64.rpm
drweb-statd-11.1.1-1907111244linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK
user@pay2:/tmp$ rpm --version
RPM version 4.14.2.1
user@pay2:/tmp$

MD5 собранных в Росе пакетов по мнению RPM4 тоже корректен:
user@pay2:/tmp$ sudo rpm -v --checksig --nosignature /var/lib/machines/rosa-2016.1//var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm
/var/lib/machines/rosa-2016.1//var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK


Вы собираете эти пакеты Dr.Web на Debian Stretch с помощью rpm 4.12 (https://packages.debian.org/stretch/rpm)? Выставлены ли какие-то особые параметры упаковки пакетов, например, %_binary_filedigest_algorithm ?
Comment 2 Mikhail Novosyolov 2019-10-09 01:49:06 MSK 
Код проверки MD5 здесь: https://abf.io/soft/rpm5/blob/master/rpmdb/signature.c#lc-612
Comment 3 Mikhail Novosyolov 2019-10-09 03:26:25 MSK 
(In reply to Mikhail Novosyolov from comment #2)
> Код проверки MD5 здесь:
> https://abf.io/soft/rpm5/blob/master/rpmdb/signature.c#lc-612

Эта функция verifyMD5 не виновата.
(gdb) break signature.c:648
(gdb) run
(gdb) p md5len
$1 = 16
(gdb) p siglen
$2 = 17

На вход в verifyMD5 приходит уже некорректный хеш. Срабатывает условие md5len != siglen. Откуда изначально берется (не)правильный хеш, пока не понял.
Comment 4 Mikhail Novosyolov 2020-01-28 22:51:56 MSK 
This has been worked around:
https://abf.io/soft/rpm5/commit/67a5f5e60fa6f409a5e67c560dce5a0659feea9c

Thanks for reporting!

--------------
RESOLVED FIXED
Comment 5 Mikhail Novosyolov 2020-02-15 19:50:18 MSK 
Also backported to rosa2014.1, see bug#10458