Bug#533828: dpkg-scanpackages generated insecure index files

Goswin Brederlow Sat, 20 Jun 2009 10:55:08 -0700

Package: dpkg-dev
Version: 1.15.2
Severity: normal
File: /usr/bin/dpkg-scanpackages


Hi,

md5sum have been known as being insecure for some time now. I assume
it has been overlooked that dpkg-scanpackages still only generates
MD5Sum fields and no SHA1 and SHA256 fields.

MfG
        Goswin

-- System Information:
Debian Release: squeeze/sid
  APT prefers transitional-i386
  APT policy: (500, 'transitional-i386'), (500, 'transitional'), (500, 
'unstable'), (400, 'unstable-i386'), (1, 'experimental-i386'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29.4-frosties-1
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages dpkg-dev depends on:
ii  binutils                      2.19.1-1   The GNU assembler, linker and bina
ii  bzip2                         1.0.5-2    high-quality block-sorting file co
ii  dpkg                          1.15.2     Debian package management system
ii  libtimedate-perl              1.1600-9   Time and date functions for Perl
ii  lzma                          4.43-14    Compression method of 7z format in
ii  make                          3.81-5     The GNU version of the "make" util
ii  patch                         2.5.9-5    Apply a diff file to an original
ii  perl [perl5]                  5.10.0-23  Larry Wall's Practical Extraction 
ii  perl-modules                  5.10.0-23  Core Perl modules

Versions of packages dpkg-dev recommends:
ii  build-essential               11.4       Informational list of build-essent
ii  gcc [c-compiler]              4:4.3.3-9  The GNU C compiler
ii  gcc-4.3 [c-compiler]          4.3.3-12   The GNU C compiler
ii  gcc-4.4 [c-compiler]          4.4.0-7    The GNU C compiler
ii  gnupg                         1.4.9-4    GNU privacy guard - a free PGP rep
ii  gpgv                          1.4.9-4    GNU privacy guard - signature veri

Versions of packages dpkg-dev suggests:
ii  debian-keyring                2009.05.28 GnuPG (and obsolete PGP) keys of D
ii  debian-maintainers            1.60       GPG keys of Debian maintainers

-- no debconf information

Package: ia32-libs
Version: 1:3.0
Architecture: all
Maintainer: Debian ia32-libs Team 
<pkg-ia32-libs-maintain...@lists.alioth.debian.org>
Installed-Size: 36
Depends: lib32asound2 | ia32-libasound2, lib32bz2-1.0 | ia32-libbz2-1.0, 
libc6-i386 | ia32-libc6, libc6-dev-i386 | ia32-libc6-dev, lib32gcc1 | 
ia32-libgcc1, lib32ncurses5 | ia32-libncurses5, lib32stdc++6 | ia32-libstdc++6, 
lib32z1 | ia32-zlib1g, ia32-freeglut3, ia32-lesstif2, ia32-libacl1, 
ia32-libaio1, ia32-libasyncns0, ia32-libattr1, ia32-libartsc0, ia32-libaudio2, 
ia32-libaudiofile0, ia32-libcairo2, ia32-libcap2, ia32-libcapi20-3, 
ia32-libcomerr2, ia32-libcups2, ia32-libdbus-1-3, ia32-libdirectfb-1.2-0, 
ia32-libdrm2, ia32-libesd0, ia32-libexif12, ia32-libexpat1, ia32-libfltk1.1, 
ia32-libfontconfig1, ia32-libfreetype6, ia32-libgcrypt11, ia32-libgl1-mesa-glx, 
ia32-libgl1-mesa-dri, ia32-libglu1-mesa, ia32-libgnutls26, ia32-libgpg-error0, 
ia32-libgphoto2-2, ia32-libgphoto2-port0, ia32-libhal1, ia32-libice6, 
ia32-libieee1284-3, ia32-libjack0, ia32-libjpeg62, ia32-libkeyutils1, 
ia32-liblcms1, ia32-libldap-2.4-2, ia32-libltdl7, ia32-liblzo2-2, 
ia32-libnss-ldap, ia32-libpam0g, ia3
 2-libpam-ldap, ia32-libpng12-0, ia32-libpopt0, ia32-libpulse0, ia32-libsane, 
ia32-libsasl2-2, ia32-libselinux1, ia32-libsdl1.2debian-alsa, 
ia32-libsigc++-2.0-0c2a, ia32-libsm6, ia32-libssl0.9.8, ia32-libstdc++5, 
ia32-libsvga1, ia32-libtasn1-3, ia32-libtiff4, ia32-libusb-0.1-4, 
ia32-libwmf0.2-7, ia32-libx11-6, ia32-libx86-1, ia32-libxau6, ia32-libxaw7, 
ia32-libxcb1, ia32-libxcb-render0, ia32-libxcb-render-util0, 
ia32-libxcomposite1, ia32-libxdamage1, ia32-libxdmcp6, ia32-libxext6, 
ia32-libxfixes3, ia32-libxft2, ia32-libxi6, ia32-libxinerama1, ia32-libxml2, 
ia32-libxmu6, ia32-libxmuu1, ia32-libxp6, ia32-libxpm4, ia32-libxrandr2, 
ia32-libxrender1, ia32-libxt6, ia32-libxtrap6, ia32-libxtst6, ia32-libxv1, 
ia32-libxcursor1, ia32-libxslt1.1, ia32-libxss1, ia32-libxxf86vm1, 
ia32-odbcinst1debian1, ia32-unixodbc, ia32-xaw3dg
Filename: ./ia32-libs_3.0_all.deb
Size: 3382
MD5sum: 967b6981f420ff64f4c47121868abc25
Section: libs
Priority: optional
Description: ia32 shared libraries for use on amd64 and ia64 systems
 This is a transitional package that depends on a set of core
 libraries for the ia32/i386 architecture, configured for use on an
 amd64 or ia64 Debian system running a 64-bit kernel.
 .
 It is save to remove this package.

Package: ia32-libs-gtk
Version: 1:3.0
Architecture: all
Maintainer: Debian ia32-libs Team 
<pkg-ia32-libs-maintain...@lists.alioth.debian.org>
Installed-Size: 36
Depends: ia32-libs, ia32-libgtk2.0-0, ia32-libatk1.0-0, ia32-libpango1.0-0, 
ia32-gtk2-engines, ia32-libglib2.0-0, ia32-libart-2.0-2, ia32-libgconf2-4, 
ia32-liborbit2, ia32-libpcre3, ia32-libatspi1.0-0, ia32-libgail-common, 
ia32-libgail18, ia32-at-spi, ia32-libgnomecanvas2-0, ia32-libbonobo2-0, 
ia32-libglade2-0, ia32-libqtcore4, ia32-libqt4-network, ia32-libqt4-script, 
ia32-libqt4-xml, ia32-libqt4-dbus, ia32-libqt4-test, ia32-libqtgui4, 
ia32-libpixman-1-0, ia32-libdbus-glib-1-2, ia32-gtk2-engines-pixbuf, 
ia32-libglib1.2ldbl
Filename: ./ia32-libs-gtk_3.0_all.deb
Size: 2584
MD5sum: d9350bc51a43515b8a16490e997638f1
Section: libs
Priority: optional
Description: ia32 shared libraries for use on amd64 and ia64 systems
 This is a transitional package that depends on a set of extra
 libraries for the ia32/i386 architecture, configured for use on an
 amd64 or ia64 Debian system running a 64-bit kernel. Most notably,
 but not exclusively, GTK+ libraries.
 .
 It is save to remove this package.

Bug#533828: dpkg-scanpackages generated insecure index files

Reply via email to