New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 594414 link

Starred by 9 users
Status: Fixed
Owner:
phajdan.jr@chromium.org
Last visit > 30 days ago
Closed: Mar 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 0
Type: Bug



Sign in to add a comment

Debian repository only provides MD5 and SHA1 checksums

Reported by julian.k...@gmail.com, Mar 13 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
1.  Look at Release or Packages files
2. 
3. 

What is the expected behavior?
There are SHA256 (and possibly SHA512) fields

What went wrong?
There are only MD5Sum and SHA1 fields.

Did this work before? N/A 

Chrome version: 49.0.2623.87  Channel: stable
OS Version: 
Flash Version: Shockwave Flash 21.0 r0

This is a potential security issue. We are considering dropping SHA1 support in APT in a few days and I am planning to push this into Ubuntu 16.04 as it does not seem sensible to trust SHA1 repositories until 2021.

Please add SHA2 checksums as soon as possible. The format is the same as for SHA1.

Comment 1 by julian.k...@gmail.com, Mar 13 2016 

I notified security@google.com about this as well, and provided some further information there in an update email (which I hope is read...).

Comment 2 by rnimmagadda@chromium.org, Mar 14 2016

Labels: Te-NeedsFurtherTriage

Comment 3 by julian.k...@gmail.com, Mar 15 2016 

I just released APT 1.2.7 (should hopefully hit Ubuntu xenial tomorrow).

This now results in the following warnings:

W: gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_chrome_deb_dists_stable_Release, which is considered strong enough for security purposes

The first one is really only a warning, the second is actually an error followed by:
E: Some index files failed to download. They have been ignored, or old ones used instead.

Shortterm, all you need to do is add SHA256 fields to Release and Packages files with the correct values. This gets rid of the error; but keeps the warning. Longer term, the repository should also move away from the DSA signing key to a 2048-bit or stronger RSA keys and use SHA512 or SHA256 for the signature in the Release.gpg file.

Comment 4 by mkwst@chromium.org, Mar 16 2016

Labels: -Pri-2 -Te-NeedsFurtherTriage Infra Pri-0
Owner: phajdan.jr@chromium.org
Status: Assigned (was: Unconfirmed)
phajdan.jr@: Can you help me route this to the right folks? Seems like something we ought to fix. :)

julian.klode@: Thanks for the report! Sorry it took us so long to see. When stuff like this pops up in the future, `security@chromium.org` will get to Chrome folks faster.

Comment 5 by mmoss@chromium.org, Mar 17 2016

Status: Fixed (was: Assigned)
The next repository update should have the sha256 checksums.

Comment 6 by julian.k...@gmail.com, Mar 17 2016 

Perfect. Thanks.

Don't forget to migrate the signing key from DSA with SHA1 to RSA with a SHA2 hash in the next months, so that we can turn of SHA1 for GPG signatures in APT for Ubuntu 16.10 (start shipping an RSA key, and sign the repository with both the old and the new key for some time, then you can drop the old DSA one at some point).

Sign in to add a comment