search

microsoft / linux-package-repositories

Microsoft Packaged Linux Software (DEBs, RPMs, etc) are hosted on packages.microsoft.com (PMC) made available as native Linux repositories for use with package managers like APT, YUM, etc.
https://packages.microsoft.com
MIT License
64 stars 17 forks source link

Debian 11 unixodbc 2.3.11-2 AMD64 binaries have mismatched checksums #88

Closed erickpeirson closed 10 months ago

erickpeirson commented 11 months ago

Describe the issue

In the Debian 11 unixodbc 2.3.11-2 AMD64 build at https://packages.microsoft.com/debian/11/prod/pool/main/u/unixodbc/, the checksums associated with the package do not match binaries included therein.

# cat /var/lib/dpkg/info/unixodbc.md5sums
852b1dddca9b1715e413e204d264ef1d  /usr/share/man/man7/unixODBC.7
2eb92461e82f714a967ea411cd83733f  /usr/share/man/man1/isql.1
6d4417413511f394ea82dc90df0ee769  /usr/share/man/man1/iusql.1
d62e3517b4bd1e3602ff015bf3b27897  /usr/bin/iusql
8959d90e615b19d1e5881dbd138e6fe3  /usr/bin/isql

# md5sum /usr/bin/iusql
f79389502c1d33ac844bb90d95d5399e  /usr/bin/iusql
# md5sum /usr/bin/isql
7a38d98564587fead939c17f8caca00f  /usr/bin/isql

This is flagged as a critical security issue in some systems. Build 2.3.11-1 is not affected.

When did the issue occur?

This appears to have been introduced when build 2.3.11-2 was published on 10 October, 2023.

If applicable, what package did you attempt to install, and from which repo?

Steps to Reproduce

Actual Result

Checksums for /usr/bin/iusql and /usr/bin/isql do NOT match the values in unixodbc.md5sums

Expected Result

Checksums for /usr/bin/iusql and /usr/bin/isql DO match the values in unixodbc.md5sums

mbearup commented 11 months ago

@erickpeirson thanks for reporting this discrepancy. We've relayed your findings to the SQL maintainers, who will follow up with a mitigation plan/ETA. FWIW, one of our ongoing investments is to verify/enforce package quality, to prevent discrepancies like this from occurring in the future.

v-chojas commented 11 months ago

As you have seen, this issue does not prevent the installation nor affect the usability of the package itself, hence why our testing didn't discover it. According to https://manpages.debian.org/bookworm/dpkg-dev/deb-md5sums.5.en.html the hashes are "not for any kind of security purpose."

We should have a fix for this published in around a week. Apologies for the inconvenience.

v-chojas commented 10 months ago

@erickpeirson 2.3.11-3 has been released with the fix.

erickpeirson commented 10 months ago

@v-chojas Fantastic! Thanks for the quick fix