Bug 51611 - rpm silently ignores checking md5 sums on files
rpm silently ignores checking md5 sums on files
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-08-12 18:44 EDT by Bryce Nesbitt
Modified: 2007-04-18 12:35 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-02-03 14:39:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bryce Nesbitt 2001-08-12 18:44:08 EDT
Description of Problem:
	rpm --verify does not seem to actually check file checksums

How Reproducible:

Steps to Reproduce:
1.  "rpm -q -l gcc" to get a list of files.
2.  Modify a few files.  Delete or rename a few.
3.  "rpm --verify gcc"

Actual Results:
	[root@headnet bryce]# rpm --verify gcc
	missing    /usr/share/doc/gcc-2.96/README.DWARF

Expected Results:
	Should have reported md5 checksum errors for the files I modified
Comment 1 Jeff Johnson 2001-08-12 19:30:37 EDT
Hmmm, rpm-4.0.3-0.90 verifies md5 sums for me.

What version of rpm?
What platform?
What package did you verify? Try the rpm package ...
What files did you modify? Try adding a line to /usr/lib/rpm/macros ...
Comment 2 Jeff Johnson 2002-02-02 11:40:44 EST
Closed for lack of input.
Comment 3 Bryce Nesbitt 2002-02-03 10:43:13 EST
RPM version 4.0.3
Linux HardHat 2.4.9-21

"rpm -q -l gcc" to find a file that's in the package.
Then, say, "vi /usr/share/doc/gcc-2.96/README.FRESCO".
And rpm --verify gcc

You've modified a file, asked rpm to verify the package, and rpm gives not a
It's not actually verifying anything.

Please reopen.
Comment 4 Jeff Johnson 2002-02-03 10:52:19 EST
If you do "rpm -Va", you will see that rpm is, indeed,
verifying md5 sums on files.

Specific example in a moment ...
Comment 5 Bryce Nesbitt 2002-02-03 11:00:52 EST
Ok, but how do you get it to verify one package?  And why does rpm -V gcc
that gcc is ok?
Comment 6 Jeff Johnson 2002-02-03 11:02:10 EST
bash$ rpm -qf /etc/ftphosts
bash$ rpm -V wu-ftpd
..?..... c /etc/ftpaccess
..?..... c /etc/ftpconversions
..?..... c /etc/ftpgroups
..?..... c /etc/ftphosts
..?..... c /etc/ftpusers
S.5....T c /etc/xinetd.d/wu-ftpd
#===> Note: I forgot to run a s root, the file is unreadable, so '?' is
bash$ sudo vi /etc/ftphosts
#===> single line added        
bash$ sudo rpm -V wu-ftpd
S.5....T c /etc/ftphosts
S.5....T c /etc/xinetd.d/wu-ftpd
#===> Note: this time I remembered to run as root, '5' indicates MD5 check
bash$ sudo vi /etc/ftphosts
#===> line deleted
bash$ sudo rpm -V wu-ftpd
.......T c /etc/ftphosts
S.5....T c /etc/xinetd.d/wu-ftpd
#===> Note: the lack of '5' indicates that MD5 sums match, but 'T' indicates
mfile modified
Comment 7 Jeff Johnson 2002-02-03 11:04:56 EST
Sorry, I clobbered your response.

Dunno your gcc package, but try the steps above
to figger what's up. FWIW, I'm running rpm-4.0.4-0.27,
dunno if that makes a difference.

There's also "rpm -Vf /etc/ftphosts", i.e. verify the package
that contains the file specified.
Comment 8 Bryce Nesbitt 2002-02-03 11:21:32 EST
wu-fpt works for me.
Same steps on gcc (and other packages) fail.

Try gcc.
Comment 9 Jeff Johnson 2002-02-03 11:41:09 EST
Works for me on a file in the gcc package:

yarmouth:/usr/bin 644 bash$ rpm -Vf /usr/bin/gcc
yarmouth:/usr/bin 645 bash$ rpm -V gcc
yarmouth:/usr/bin 646 bash$ rpm -qf gcc
yarmouth:/usr/bin 647 bash$ sudo mv gcc gcc-SAVE
yarmouth:/usr/bin 648 bash$ sudo cp /dev/null gcc
yarmouth:/usr/bin 649 bash$ rpm -Vf gcc
SM5....T   /usr/bin/gcc
yarmouth:/usr/bin 650 bash$ sudo mv gcc-SAVE gcc
yarmouth:/usr/bin 651 bash$ rpm -Vf gcc

Note: The file you have chosen may very well have
disabled file md5 verification in packaging using
a directive like
	%verify(not md5)

That's a whole different problem.
Comment 10 Jeff Johnson 2002-02-03 12:08:34 EST
SInce I don't see a general problem with rpm, I'm gonna
close this bug. Feel free to reopen new bugs against
specific packages i.e. the package that's displayed
if/when you do
	rpm -qf /you/file/path/here
if you still think that there's an MD5 verification
Comment 11 Bryce Nesbitt 2002-02-03 14:07:34 EST
New bug report angle then:
	rpm --verify leads to false sense of security.  If md5 sum has been
	disabled, it should so indicate.
If --verify is not actually checking anything, why should it be telling me
everything is fine?
As a user of rpm I need to understand what's been checked and verified OK, and
not been checked at all.

I just checked with wu-ftp, changing a few characters in:
And again, rpm claims there is no md5 error.

Comment 12 Jeff Johnson 2002-02-03 14:13:58 EST
Hmmm, you comment might just as easily read
	Believing that md5 sums provide security is fooling yourself.

rpm is just a tool, it does what it does, no more, no less. Yes, rpm-4.1,
will do mandatory signature checking on headers that contain MD5
sums, that's a slightly less foolish approach, but then one reaches the
problem of
	How does one know that a public key is valid?
Comment 13 Bryce Nesbitt 2002-02-03 14:39:31 EST
Sure, there are two layers of analysis.

The first level is the tool, and clearly the tool needs fixing if it leads a
to think a MD5 sum has been checked, when it has not been.
Either get rid of the MD5 sum feature or make it work for all files all the time
(indicating, somehow, what was checked and what was not).  You could at
the very very least document that --verify might not actually even try to
check certain files.  The man page gives no hint of this issue.

The deeper level of analysis is not up to the tool - what's an MD5 sum worth?
Comment 14 Jeff Johnson 2002-02-03 14:50:31 EST
Short term answer:
	Not gonna happen.

I've already indicated what the longer term answer is.
Comment 15 Bryce Nesbitt 2002-02-04 09:48:23 EST
Oh well.  It sucks that a tool that lies to me about what it did.

Note You need to log in before you can comment on or make changes to this bug.