Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
chgu
Posts: 1
Joined: Sat Feb 08, 2020 7:40 am

Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by chgu »

Trying to fix the current severe opkg security bug (of package checksums not actually checked), I tried to follow the workaround instructions from openwrt-devel/2020-January/021544.html (sorry, system does not allow me to post the link here).

But I found that I cannot fix it that way, because in the okpg version installed with my gargoyle 1.12 it seems that the "download" sub-command is not enabled, and I failed to find any workaround how to get the correct updated package without the opkg.

Any help appreciated...

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by Lantis »

Gargoyle does not use opkg (unless you install it...). It uses gpkg, which was forked a long time ago.

It may not be affected by this bug, but give me a few days to look at the code and confirm.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by Lantis »

Apologies for the delay.

I can confirm that Gargoyle is not affected by this specific vulnerability due to its custom implementation of opkg (gpkg).

If the SHA256Sum (and in older versions, MD5Sum) of the package is tampered with and no longer matches, the package installation is aborted.

Code: Select all

daemon.err uhttpd[2367]: ERROR: SHA256Sum mismatch for plugin-gargoyle-theme-flat-blue package
daemon.err uhttpd[2367]:        Expected:   d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a93
daemon.err uhttpd[2367]:        Downloaded: d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a92
daemon.err uhttpd[2367]:
daemon.err uhttpd[2367]: An error occurred during Installation, removing partially installed packages.
There is no action required to update gpkg.
IF you install and use opkg, then you should follow the instructions to update it.

I will point out however, that gpkg does not use signature verification of the package list file, and therefore a MITM attack which presents a valid matching set of packages list and ipk's will be installed as valid.
This is a shortfall that probably should be corrected long term.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

peterpux
Posts: 21
Joined: Thu Feb 04, 2016 2:18 pm

OpenWRT code-execution bug puts millions of devices at risk

Post by peterpux »

From Nunavik, Quebec, Canada
WNDR 3800 with Gargoyle 1.10.x Dec 18
WNDR 3800 Repeater with Gargoyle 1.10.x

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: OpenWRT code-execution bug puts millions of devices at risk

Post by RomanHK »

That's old, and the author (Dan Goodin) probably froze in time:
https://thehackernews.com/2020/03/openw ... ility.html
https://blog.forallsecure.com/uncoverin ... -2020-7982

Another post deals with something similar:
viewtopic.php?f=6&t=12271
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?

Post by Lantis »

I've merged the two topics as they discuss the same bug.
As stated above, Gargoyle is not susceptible to the aforementioned issue by default.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply