[opensuse-security] zypper ignores instruction to 'discard' packages with FAILed/mismatched digest checksum. downloads & installs it anyway.
While doing a package upgrade I saw this ..................................................................[done (2.2 MiB/s)] Warning: Digest verification failed for file 'MozillaFirefox-47.0.1-541.2.x86_64.rpm' [/var/cache/zypp/packages/MozillaFACTORY/x86_64/MozillaFirefox-47.0.1-541.2.x86_64.rpm] expected ab94e037ad3568d8d09088d1e32e2bc3057ff219d3171085170e9fe1eae115da but got 2c7af9fd04b5c9d8e230fd928a65135696c880088c94559c7a5e8d9f0c062ed7 Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise. However if you made certain that the file with checksum '2c7a..' is secure, correct and should be used within this operation, enter the first 4 characters of the checksum to unblock using this file on your own risk. Empty input will discard the file. Unblock or discard? [2c7a/? shows all options] (discard): I hit <ENTER> to accept the default and "discard" Instead of discarding it, it ACCEPTED the upgrade as started to download it Retrieving: MozillaFirefox-47.0.1-541.2.x86_64.rpm .........................................................................................<77%>======================= and eventually installed it -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hello, On 08/02/2016 10:00 PM, lists@ssl-mail.com wrote:
While doing a package upgrade
I saw this
..................................................................[done (2.2 MiB/s)]
Warning: Digest verification failed for file 'MozillaFirefox-47.0.1-541.2.x86_64.rpm' [/var/cache/zypp/packages/MozillaFACTORY/x86_64/MozillaFirefox-47.0.1-541.2.x86_64.rpm]
This is a file in your local cache. From a previous run, possibly broken or manipulated.
Unblock or discard? [2c7a/? shows all options] (discard):
I hit <ENTER> to accept the default and "discard"
You discard the cached file.
Instead of discarding it, it ACCEPTED the upgrade as started to download it
You did not accept the upgrade. You discarded the cached file. Zypper then starts to download a fresh copy:
Retrieving: MozillaFirefox-47.0.1-541.2.x86_64.rpm .........................................................................................<77%>=======================
and eventually installed it
But only after verifying that the fresh downloaded file matches the digest as per the signed repository metadata. Not an issue, works as expected. Andreas -- Andreas Stieger <astieger@suse.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Andreas Stieger
-
lists@ssl-mail.com