apt-get download checks sha256 hashes when sha512 hashes are available

Thanks for the report! Thankfully not that big of an issue as SHA512 isn't widely adopted in the APT-world and SHA256 "good enough" for now.

apt-pkg/acquire-item.cc has the same issue in pkgAcqArchive::QueueNext() and therefore effecting all downloads expect the ones where a hash is forced. Theory says that this code should be in one central place rather than copied (as you can't force a hash for download this way) …

On Fri, Jan 11, 2013 at 10:58:04PM -0000, Tyler Hicks wrote:
> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> While auditing some apt code, I noticed that apt-get download uses
> SHA-256 hashes even when SHA-512 hashes are available. From DoDownload()
> in cmdline/apt-get.cc:
>
> // get the most appropriate hash
> HashString hash;
> if (rec.SHA512Hash() != "")
> hash = HashString("sha512", rec.SHA512Hash());
> if (rec.SHA256Hash() != "")
> hash = HashString("sha256", rec.SHA256Hash());
> else if (rec.SHA1Hash() != "")
> hash = HashString("sha1", rec.SHA1Hash());
> else if (rec.MD5Hash() != "")
> hash = HashString("md5", rec.MD5Hash());
> // get the file
> new pkgAcqFile(&Fetcher, uri, hash.toStr(), (*Ver)->Size, descr, Pkg.Name(), ".");
>
> The conditional for rec.SHA256Hash() should use an else if statement.

Indeed, thanks for reporting. I attach a (trivial) bzr bundle for
this.

Cheers,
 Michael

> ** Affects: apt (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to apt in
> Ubuntu.
> https://bugs.launchpad.net/bugs/1098752
>
> Title:
> apt-get download checks sha256 hashes when sha512 hashes are available
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions

This bug was fixed in the package apt - 0.9.9.1~ubuntu1

---------------
apt (0.9.9.1~ubuntu1) saucy; urgency=low

  * merged from the debian/sid branch:
    - debian/gbp.conf: change build branch to ubuntu/master
    - use ubuntu keyring and ubuntu archive keyring in apt-key
    - run update-apt-xapian-index in apt.cron
    - run apt-key net-update in cron.daily
    - different example sources.list
    - APT::pkgPackageManager::MaxLoopCount set to 5000
    - apport pkgfailure handling
    - ubuntu changelog download handling
    - patch for apt cross-building, see http://bugs.debian.org/666772
    - debian/apt.auto-removal.sh
      + make kernels auto-removable

apt (0.9.9.1) UNRELEASED; urgency=low

  * debian/rules:
    - call dh_clean in clean (closes: #714980)

apt (0.9.9) unstable; urgency=low

  [ Michael Vogt ]
  * improve debug output for the Debug::pkgProblemResolver and
    Debug::pkgDepCache::AutoInstall
  * improve apt-cdrom output when no CD-ROM can be auto-detected
  * document --no-auto-detect in apt-cdrom

  [ David Kalnischkies ]
  * build the en manpages in subdirectory doc/en
  * remove -ldl from cdrom and -lutil from apt-get linkage
  * rewrite pkgOrderList::DepRemove to stop incorrect immediate setting
    (Closes: 645713)
  * prefer Essentials over Removals in ordering score
  * fix priority sorting by prefering higher in MarkInstall
  * try all providers in order if uninstallable in MarkInstall
  * do unpacks before configures in SmartConfigure (Closes: #707578)
  * fix support for multiple patterns in apt-cache search (Closes: #691453)
  * set Fail flag in FileFd on all errors consistently
  * don't explicitly init ExtractTar InFd with invalid fd
  * OpenDescriptor should autoclose fd always on error (Closes: #704608)
  * fail in CopyFile if the FileFds have error flag set
  * ensure state-dir exists before coyping cdrom files
  * fix file location for configure-index.gz in apt.conf(5) (Closes: #711921)
  * handle missing "Description" in apt-cache show (Closes: #712435)
  * try defaults if auto-detection failed in apt-cdrom (Closes: #712433)
  * support \n and \r\n line endings in ReadMessages
  * do not redownload unchanged InRelease files
  * trigger NODATA error for invalid InRelease files (Closes: #712486)

apt (0.9.8.2) unstable; urgency=low

  [ Programs translations ]
  * French translation : typo fix. Closes: #677272

  [ Guillem Jover ]
  * Update Vcs fields (Closes: #708562)

  [ Michael Vogt ]
  * buildlib/apti18n.h.in:
    - fix build failure when building without NLS (closes: #671587)

  [ Gregoire Menuel ]
  * Fix double free (closes: #711045)

  [ Raphael Geissert ]
  * Fix crash when the "mirror" method does not find any entry
    (closes: #699303)

  [ Johan Kiviniemi ]
  * cmdline/apt-key:
    - Create new keyrings with mode 0644 instead of 0600.
    - Accept a nonexistent --keyring file with the adv subcommand as well.

apt (0.9.8.1) unstable; urgency=low

  [ David Kalnischkies ]
  * apt-pkg/indexcopy.cc:
    - non-inline RunGPGV methods to restore ABI compatibility with previous
      versions to fix partial upgrades (Closes: #707771)

  [ Michael Vogt ]
  * moved source to http://git.debian.org/...