Trying to fix the current severe opkg security bug (of package checksums not actually checked), I tried to follow the workaround instructions from openwrt-devel/2020-January/021544.html (sorry, system does not allow me to post the link here).
But I found that I cannot fix it that way, because in the okpg version installed with my gargoyle 1.12 it seems that the "download" sub-command is not enabled, and I failed to find any workaround how to get the correct updated package without the opkg.
Any help appreciated...
Cannot fix opkg security issue as gargoyle-okpg cannot just-download?
Moderator: Moderators
Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?
Gargoyle does not use opkg (unless you install it...). It uses gpkg, which was forked a long time ago.
It may not be affected by this bug, but give me a few days to look at the code and confirm.
It may not be affected by this bug, but give me a few days to look at the code and confirm.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?
Apologies for the delay.
I can confirm that Gargoyle is not affected by this specific vulnerability due to its custom implementation of opkg (gpkg).
If the SHA256Sum (and in older versions, MD5Sum) of the package is tampered with and no longer matches, the package installation is aborted.
There is no action required to update gpkg.
IF you install and use opkg, then you should follow the instructions to update it.
I will point out however, that gpkg does not use signature verification of the package list file, and therefore a MITM attack which presents a valid matching set of packages list and ipk's will be installed as valid.
This is a shortfall that probably should be corrected long term.
I can confirm that Gargoyle is not affected by this specific vulnerability due to its custom implementation of opkg (gpkg).
If the SHA256Sum (and in older versions, MD5Sum) of the package is tampered with and no longer matches, the package installation is aborted.
Code: Select all
daemon.err uhttpd[2367]: ERROR: SHA256Sum mismatch for plugin-gargoyle-theme-flat-blue package
daemon.err uhttpd[2367]: Expected: d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a93
daemon.err uhttpd[2367]: Downloaded: d273f67ed2ea73127387c9d2cecd9095e1acbd276031b50166a766bb40652a92
daemon.err uhttpd[2367]:
daemon.err uhttpd[2367]: An error occurred during Installation, removing partially installed packages.
IF you install and use opkg, then you should follow the instructions to update it.
I will point out however, that gpkg does not use signature verification of the package list file, and therefore a MITM attack which presents a valid matching set of packages list and ipk's will be installed as valid.
This is a shortfall that probably should be corrected long term.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
OpenWRT code-execution bug puts millions of devices at risk
From Nunavik, Quebec, Canada
WNDR 3800 with Gargoyle 1.10.x Dec 18
WNDR 3800 Repeater with Gargoyle 1.10.x
WNDR 3800 with Gargoyle 1.10.x Dec 18
WNDR 3800 Repeater with Gargoyle 1.10.x
Re: OpenWRT code-execution bug puts millions of devices at risk
That's old, and the author (Dan Goodin) probably froze in time:
https://thehackernews.com/2020/03/openw ... ility.html
https://blog.forallsecure.com/uncoverin ... -2020-7982
Another post deals with something similar:
viewtopic.php?f=6&t=12271
https://thehackernews.com/2020/03/openw ... ility.html
https://blog.forallsecure.com/uncoverin ... -2020-7982
Another post deals with something similar:
viewtopic.php?f=6&t=12271
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0
http://gargoyle.romanhk.cz custom builds by gargoyle users
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0
http://gargoyle.romanhk.cz custom builds by gargoyle users
Re: Cannot fix opkg security issue as gargoyle-okpg cannot just-download?
I've merged the two topics as they discuss the same bug.
As stated above, Gargoyle is not susceptible to the aforementioned issue by default.
As stated above, Gargoyle is not susceptible to the aforementioned issue by default.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.