Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

[Ralph Siemsen <ralph.siemsen@linaro.org>]

On Tue, Apr 12, 2022 at 5:49 PM Steve Sakoman <steve@sakoman.com> wrote:

> I added a debug option to the failing command and did another autobuilder run.
>
> You can see the output here:
>
> https://errors.yoctoproject.org/Errors/Details/654608/

Okay, same error, "Hash Sum mismatch". And if I squint between all the
URL-encoding, I can see the md5/sha1/sha256/sha512sum values.

The "apt update" command is doing the following:
- fetch the file called "Release"
- fetch the file called "Packages.gz" --> error occurs here

Looking inside the Release file, it is plain text, and contains the
md5/sha1/sha256/sha512 sums of both Packages and Packages.gz (and also
the first two lines of Release).

Manually checking each of those sums reveals an inconsistency: all the
sha256 values inside Release are incorrect, while all the other
md1/sha1/sha512 values are correct.

And when we look at the URL-encoded debug info... the sha256 value is
the correct one for Packages.gz (as computed manually). However it
does not match the (incorrect) value within the Release file. Thus it
seems apt-get is justified when it complains about "Hash Sum
mismatch".

Going back to my Ubuntu system, and looking at the generated Release
file... all the checksums are correct, including the sha256sum.

So I am now looking into how Release file gets generated... as the
problem appears to be there... and it happens on Fedora but not
Ubuntu.

One additional point to add: on the same Fedora 35 system, I did a
full rebuild *without* with xz/gzip CVE fixes, and the apt failure
still occurs. To be certain, I nuked cache, sstate-cache and tmp (so
basically the entire build directory) and the rebuild took several
hours.

Ralph