Gargoyle Forum

Trying to fix the current severe opkg security bug (of package checksums not actually checked), I tried to follow the workaround instructions from openwrt-devel/2020-January/021544.html (sorry, system does not allow me to post the link here).

But I found that I cannot fix it that way, because in the okpg version installed with my gargoyle 1.12 it seems that the "download" sub-command is not enabled, and I failed to find any workaround how to get the correct updated package without the opkg.

Any help appreciated...

Gargoyle does not use opkg (unless you install it...). It uses gpkg, which was forked a long time ago.

It may not be affected by this bug, but give me a few days to look at the code and confirm.

Apologies for the delay.

I can confirm that Gargoyle is not affected by this specific vulnerability due to its custom implementation of opkg (gpkg).

If the SHA256Sum (and in older versions, MD5Sum) of the package is tampered with and no longer matches, the package installation is aborted. There is no action required to update gpkg.
IF you install and use opkg, then you should follow the instructions to update it.

I will point out however, that gpkg does not use signature verification of the package list file, and therefore a MITM attack which presents a valid matching set of packages list and ipk's will be installed as valid.
This is a shortfall that probably should be corrected long term.

That's old, and the author (Dan Goodin) probably froze in time:
https://thehackernews.com/2020/03/openw ... ility.html
https://blog.forallsecure.com/uncoverin ... -2020-7982

Another post deals with something similar:
viewtopic.php?f=6&t=12271

I've merged the two topics as they discuss the same bug.
As stated above, Gargoyle is not susceptible to the aforementioned issue by default.