Page 1 of 1

Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Posted: Sat Feb 08, 2020 7:57 am
by chgu
Trying to fix the current severe opkg security bug (of package checksums not actually checked), I tried to follow the workaround instructions from openwrt-devel/2020-January/021544.html (sorry, system does not allow me to post the link here).

But I found that I cannot fix it that way, because in the okpg version installed with my gargoyle 1.12 it seems that the "download" sub-command is not enabled, and I failed to find any workaround how to get the correct updated package without the opkg.

Any help appreciated...

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Posted: Sat Feb 08, 2020 9:34 am
by Lantis
Gargoyle does not use opkg (unless you install it...). It uses gpkg, which was forked a long time ago.

It may not be affected by this bug, but give me a few days to look at the code and confirm.

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Posted: Fri Feb 14, 2020 7:07 am
by Lantis
Apologies for the delay.

I can confirm that Gargoyle is not affected by this specific vulnerability due to its custom implementation of opkg (gpkg).

If the SHA256Sum (and in older versions, MD5Sum) of the package is tampered with and no longer matches, the package installation is aborted.

Code: Select all

daemon.err uhttpd[2367]: ERROR: SHA256Sum mismatch for plugin-gargoyle-theme-flat-blue package
daemon.err uhttpd[2367]:        Expected:   d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a93
daemon.err uhttpd[2367]:        Downloaded: d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a92
daemon.err uhttpd[2367]:
daemon.err uhttpd[2367]: An error occurred during Installation, removing partially installed packages.


There is no action required to update gpkg.
IF you install and use opkg, then you should follow the instructions to update it.

I will point out however, that gpkg does not use signature verification of the package list file, and therefore a MITM attack which presents a valid matching set of packages list and ipk's will be installed as valid.
This is a shortfall that probably should be corrected long term.

OpenWRT code-execution bug puts millions of devices at risk

Posted: Wed Apr 01, 2020 7:44 am
by peterpux

Re: OpenWRT code-execution bug puts millions of devices at risk

Posted: Wed Apr 01, 2020 8:15 am
by RomanHK
That's old, and the author (Dan Goodin) probably froze in time:
https://thehackernews.com/2020/03/openw ... ility.html
https://blog.forallsecure.com/uncoverin ... -2020-7982

Another post deals with something similar:
viewtopic.php?f=6&t=12271

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Posted: Wed Apr 01, 2020 8:55 am
by Lantis
I've merged the two topics as they discuss the same bug.
As stated above, Gargoyle is not susceptible to the aforementioned issue by default.