Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#38246 - [linux] Insecure PKGBUILD

Attached to Project: Arch Linux
Opened by Thue Janus Kristensen (thuejk) - Monday, 23 December 2013, 10:50 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 02 February 2015, 12:03 GMT
Task Type Bug Report
Category Kernel
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

The PKGBUILD script for core/linux is insecure. 1) it is downloading the source over http instead of https. 2) it is verifying the downloaded source with the insecure md5sums instead of the secure[1] sha256sums.

Since there have already been a concrete collision attack on md5[2], there is no effective cryptographic verification in the core/linux build process.

[1] https://wiki.archlinux.org/index.php/PKGBUILD#sha256sums.2C_sha384sums.2C_sha512sums
[2] http://www.zdnet.com/blog/security/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/2339
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 02 February 2015, 12:03 GMT
Reason for closing:  Fixed
Comment by Pierre Schmitz (Pierre) - Monday, 23 December 2013, 11:06 GMT
sha256 wouldn't make it a lot more secure. The checksums are just used to verify that the downloaded file was not damaged. The only sane way would be verification by using gpg signatures; unfortunately most upstream projects don't provide these. (afaik kernel.org provides signatures for tar files, but not for the compressed ones; so that's not compatible with makepkg)

It's not only the linux kernel that is affected; most upstream projects are not willing to provide signatures for their releases.
Comment by Thue Janus Kristensen (thuejk) - Monday, 23 December 2013, 11:27 GMT
Well, https would be a better than nothing, and trivial to use. And there are some hypothetical scenarios where secure checksums would stop an attack.

In general, I am mystified why the option to use md5sums is even there, instead of just always using the secure sha256sums. The wiki does recommend not using md5sums.
Comment by Allan McRae (Allan) - Monday, 23 December 2013, 12:58 GMT
Probably should use the sha256sum given that is what is provided upstream. That is of course if we make the assumption that the signature provided upstream is not manually checked by the packager... Doing that supersedes all the suggestions made here.
Comment by Peter Wu (Lekensteyn) - Thursday, 20 March 2014, 21:17 GMT
Huh, wut? http insecure? If the integrity of the downloaded file is verified with a checksum or signature, then it does not matter that the transport is unencrypted. Otherwise, you should also be very worried that all Arch mirrors are using HTTP...

Instead of using checksums, you could in addition use PGP signatures. See https://www.kernel.org/category/signatures.html
Comment by Thomas Bächler (brain0) - Thursday, 20 March 2014, 22:23 GMT
To verify kernel.org's signatures in makepkg, we need to wait for pacman 4.2. At least the patch [1] is needed, but other that are not yet merged improve the situation further.

[1] https://projects.archlinux.org/pacman.git/commit/?id=620d2d9d587b9f361fedb464501f59141c98d3da

Loading...