Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
chgu
Posts: 1
Joined: Sat Feb 08, 2020 7:40 am

Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by chgu »

Trying to fix the current severe opkg security bug (of package checksums not actually checked), I tried to follow the workaround instructions from openwrt-devel/2020-January/021544.html (sorry, system does not allow me to post the link here).

But I found that I cannot fix it that way, because in the okpg version installed with my gargoyle 1.12 it seems that the "download" sub-command is not enabled, and I failed to find any workaround how to get the correct updated package without the opkg.

Any help appreciated...

Lantis
Moderator
Posts: 5409
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by Lantis »

Gargoyle does not use opkg (unless you install it...). It uses gpkg, which was forked a long time ago.

It may not be affected by this bug, but give me a few days to look at the code and confirm.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Lantis
Moderator
Posts: 5409
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by Lantis »

Apologies for the delay.

I can confirm that Gargoyle is not affected by this specific vulnerability due to its custom implementation of opkg (gpkg).

If the SHA256Sum (and in older versions, MD5Sum) of the package is tampered with and no longer matches, the package installation is aborted.

Code: Select all

daemon.err uhttpd[2367]: ERROR: SHA256Sum mismatch for plugin-gargoyle-theme-flat-blue package
daemon.err uhttpd[2367]:        Expected:   d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a93
daemon.err uhttpd[2367]:        Downloaded: d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a92
daemon.err uhttpd[2367]:
daemon.err uhttpd[2367]: An error occurred during Installation, removing partially installed packages.


There is no action required to update gpkg.
IF you install and use opkg, then you should follow the instructions to update it.

I will point out however, that gpkg does not use signature verification of the package list file, and therefore a MITM attack which presents a valid matching set of packages list and ipk's will be installed as valid.
This is a shortfall that probably should be corrected long term.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply