Bug 10204 - rpm5 fails to verify package digest if one of available digests is MD5
Summary: rpm5 fails to verify package digest if one of available digests is MD5
Status: RESOLVED FIXED
Alias: None
Product: ROSA Fresh
Classification: ROSA-based products
Component: Preinstalled software in the ISO (show other bugs)
Version: All
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: ROSA Linux Bugs
URL:
Whiteboard:
Depends on:
Blocks:
 
Reported: 2019-10-08 15:32 MSK by Dmitry Mikhirev
Modified: 2020-02-15 19:50 MSK (History)
2 users (show)

See Also:
Platform: ---
ROSA Vulnerability identifier:
RPM Package:
Upstream:

Attachments
Sample package with MD5 digest (6.73 KB, application/x-redhat-package-manager)
2019-10-08 15:32 MSK, Dmitry Mikhirev 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Mikhirev 2019-10-08 15:32:43 MSK 
Created attachment 5218 [details]
Sample package with MD5 digest

rpm5 reports that the package is broken if it contains a correct MD5 digest.

    $ rpm -v --checksig --nosignature drweb-workstations-11.1.1-1907111349linux.x86_64.rpm 
    drweb-workstations-11.1.1-1907111349linux.x86_64.rpm:
        Заголовок SHA1 digest: OK (1a2cd947d8cc0499d5bb6573bd9d047e89513767)
        MD5 digest: BAD Expected(85980e3a909a9b7462f64ec342abc0d500) != (85980e3a909a9b7462f64ec342abc0d5)

Note extra two zeroes in the end of the expected digest value.

This bug leads to impossibility to install such a package from a remote repository, because URPM checks digests after download. E. g. none package can be installed from this repo: https://repo.drweb.com/drweb/linux/11.1/x86_64/
Comment 1 Mikhail Novosyolov 2019-10-09 01:24:07 MSK 
Проблема не воспроизводится с родными для Росы пакетами, собранными непосредственно в RPM5:

rosa-2016 ~ # rpm -v --checksig --nosignature /var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm
/var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm:
    Заголовок SHA1 digest: OK (9664f3e65b593f0a91abd53652af873c0e5a6d5c)
    MD5 digest: OK (9af5f516b7a9958030162d3fe92422ad)

RPM4 (на Ubuntu) действительно считает MD5 правильным:
user@pay2:/tmp$ rpm -v --checksig --nosignature drweb-statd-11.1.1-1907111244linux.x86_64.rpm
drweb-statd-11.1.1-1907111244linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK
user@pay2:/tmp$ rpm --version
RPM version 4.14.2.1
user@pay2:/tmp$

MD5 собранных в Росе пакетов по мнению RPM4 тоже корректен:
user@pay2:/tmp$ sudo rpm -v --checksig --nosignature /var/lib/machines/rosa-2016.1//var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm
/var/lib/machines/rosa-2016.1//var/cache/urpmi/rpms/bsdtar-3.3.3-1-rosa2016.1.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK


Вы собираете эти пакеты Dr.Web на Debian Stretch с помощью rpm 4.12 (https://packages.debian.org/stretch/rpm)? Выставлены ли какие-то особые параметры упаковки пакетов, например, %_binary_filedigest_algorithm ?
Comment 2 Mikhail Novosyolov 2019-10-09 01:49:06 MSK 
Код проверки MD5 здесь: https://abf.io/soft/rpm5/blob/master/rpmdb/signature.c#lc-612
Comment 3 Mikhail Novosyolov 2019-10-09 03:26:25 MSK 
(In reply to Mikhail Novosyolov from comment #2)
> Код проверки MD5 здесь:
> https://abf.io/soft/rpm5/blob/master/rpmdb/signature.c#lc-612

Эта функция verifyMD5 не виновата.
(gdb) break signature.c:648
(gdb) run
(gdb) p md5len
$1 = 16
(gdb) p siglen
$2 = 17

На вход в verifyMD5 приходит уже некорректный хеш. Срабатывает условие md5len != siglen. Откуда изначально берется (не)правильный хеш, пока не понял.
Comment 4 Mikhail Novosyolov 2020-01-28 22:51:56 MSK 
This has been worked around:
https://abf.io/soft/rpm5/commit/67a5f5e60fa6f409a5e67c560dce5a0659feea9c

Thanks for reporting!

--------------
RESOLVED FIXED
Comment 5 Mikhail Novosyolov 2020-02-15 19:50:18 MSK 
Also backported to rosa2014.1, see bug#10458