apt-get download checks sha256 hashes when sha512 hashes are available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
While auditing some apt code, I noticed that apt-get download uses SHA-256 hashes even when SHA-512 hashes are available. From DoDownload() in cmdline/apt-get.cc:
// get the most appropriate hash
HashString hash;
if (rec.SHA512Hash() != "")
hash = HashString(
if (rec.SHA256Hash() != "")
hash = HashString(
else if (rec.SHA1Hash() != "")
hash = HashString("sha1", rec.SHA1Hash());
else if (rec.MD5Hash() != "")
hash = HashString("md5", rec.MD5Hash());
// get the file
new pkgAcqFile(
The conditional for rec.SHA256Hash() should use an else if statement.
CVE References
tags: | added: patch |
Changed in apt (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in apt (Ubuntu): | |
status: | Triaged → In Progress |
Thanks for the report! Thankfully not that big of an issue as SHA512 isn't widely adopted in the APT-world and SHA256 "good enough" for now.
apt-pkg/ acquire- item.cc has the same issue in pkgAcqArchive: :QueueNext( ) and therefore effecting all downloads expect the ones where a hash is forced. Theory says that this code should be in one central place rather than copied (as you can't force a hash for download this way) …