[Yum-devel] [PATCH 2/2] Fix md5 == abort() code path, only generate/trust sha2+ for metalink=>repomd

Seth Vidal skvidal at fedoraproject.org
Tue Dec 8 16:24:10 UTC 2009 


On Mon, 7 Dec 2009, James Antill wrote:

> ---
> yum/metalink.py     |    1 +
> yum/repoMDObject.py |    5 +++--
> yum/yumRepo.py      |   12 +++---------
> 3 files changed, 7 insertions(+), 11 deletions(-)
>
> diff --git a/yum/metalink.py b/yum/metalink.py
> index c7f5f83..24da633 100755
> --- a/yum/metalink.py
> +++ b/yum/metalink.py
> @@ -55,6 +55,7 @@ class MetaLinkFile:
>     """ Parse the file metadata out of a metalink file. """
>
>     def __init__(self, elem):
> +        # We aren't "using" any of these, just storing them.
>         chksums = set(["md5", 'sha1', 'sha256', 'sha512'])
>
>         for celem in elem:
> diff --git a/yum/repoMDObject.py b/yum/repoMDObject.py
> index 9f70f1d..2931816 100755
> --- a/yum/repoMDObject.py
> +++ b/yum/repoMDObject.py
> @@ -94,8 +94,9 @@ class RepoMD:
>         else:
>             # srcfile is a file object
>             infile = srcfile
> -
> -        infile = AutoFileChecksums(infile, ['md5', 'sha1', 'sha256'],
> +
> +        # We trust any of these to mean the repomd.xml is valid.
> +        infile = AutoFileChecksums(infile, ['sha256', 'sha512'],
>                                    ignore_missing=True)
>         parser = iterparse(infile)
>
> diff --git a/yum/yumRepo.py b/yum/yumRepo.py
> index 765a595..b97f05a 100644
> --- a/yum/yumRepo.py
> +++ b/yum/yumRepo.py
> @@ -1145,22 +1145,16 @@ class YumRepository(Repository, config.RepoConf):
>         if repoXML.length != repomd.size:
>             return False
>
> -        #  MirrorManager isn't generating sha256 yet, and we should probably
> -        # not require all of the checksums we produce.
> -        done = set()
>         for checksum in repoXML.checksums:
>             if checksum not in repomd.chksums:
>                 continue
>
>             if repoXML.checksums[checksum] != repomd.chksums[checksum]:
>                 return False
> -            done.add(checksum)
>
> -        #  Only allow approved checksums, might want to not "approve" of
> -        # sha1/md5
> -        for checksum in ('sha512', 'sha256', 'sha1', 'md5'):
> -            if checksum in done:
> -                return True
> +            #  If we don't trust the checksum, then don't generate it in
> +            # repoMDObject().
> +            return True
>
>         return False

Not tested this yet - but does this implicitly mean we need to do a: 
Requires: python-hashlib if we want that version to be usable on python 
2.4?

-sv

More information about the Yum-devel mailing list