Bug#782556: marked as done (unblock: lintian/2.5.30+deb8u4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 14 Apr 2015 17:43:08 +0200
with message-id <20150414154308.GG17727@ugent.be>
and subject line Re: Bug#782556: unblock: lintian/2.5.30+deb8u4
has caused the Debian Bug report #782556,
regarding unblock: lintian/2.5.30+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782556
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: lintian/2.5.30+deb8u4
• From: Niels Thykier <niels@thykier.net>
• Date: Tue, 14 Apr 2015 08:24:12 +0200
• Message-id: <[🔎] 20150414062412.3979.24278.reportbug@mangetsu.thykier.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lintian.  It fixes a bug in the parsing of GPG
headers in control files (e.g. .changes).

Please note that the BTS / Britney believes this version of lintian to
introduce #775760.  This behaviour was already present in previous
versions of Lintian.  I have reassigned it and put a more accurate
found version on it.

unblock lintian/2.5.30+deb8u4

Thanks,
~Niels

diff -Nru lintian-2.5.30+deb8u3/debian/changelog lintian-2.5.30+deb8u4/debian/changelog
--- lintian-2.5.30+deb8u3/debian/changelog	2014-11-28 23:21:10.000000000 +0100
+++ lintian-2.5.30+deb8u4/debian/changelog	2015-04-09 22:09:32.000000000 +0200
@@ -1,3 +1,12 @@
+lintian (2.5.30+deb8u4) unstable; urgency=medium
+
+  * lib/Lintian/Util.pm:
+    + [NT] Stricten the permitted whitespace at the end of GPG
+      marker lines.  This is the same issue as CVE-2015-0840,
+      except lintian never attempted to validate the signature.
+
+ -- Niels Thykier <niels@thykier.net>  Thu, 09 Apr 2015 22:09:29 +0200
+
 lintian (2.5.30+deb8u3) unstable; urgency=medium
 
   * helpers/coll/objdump-info-helper:
diff -Nru lintian-2.5.30+deb8u3/lib/Lintian/Util.pm lintian-2.5.30+deb8u4/lib/Lintian/Util.pm
--- lintian-2.5.30+deb8u3/lib/Lintian/Util.pm	2014-11-28 23:18:08.000000000 +0100
+++ lintian-2.5.30+deb8u4/lib/Lintian/Util.pm	2015-04-09 22:05:41.000000000 +0200
@@ -412,7 +412,7 @@
         # According to http://tools.ietf.org/html/rfc4880#section-6.2
         # The header MUST start at the beginning of the line and MUST NOT have
         # any other text (except whitespace) after the header.
-        elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/)
+        elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/)
         { # skip until end of signature
             my $saw_end = 0;
             if (not $signed or $signature) {
@@ -426,7 +426,7 @@
             }
             $signature = $.;
             while (<$CONTROL>) {
-                if (m/^-----END PGP SIGNATURE-----\s*$/o) {
+                if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) {
                     $saw_end = 1;
                     last;
                 }
@@ -450,7 +450,7 @@
             #    - Valid, but we don't support partial messages, so
             #      bail on those.
 
-            unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) {
+            unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) {
                 # Not a (full) PGP MESSAGE; reject.
 
                 my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/;
@@ -458,7 +458,7 @@
                 my $msg
                   = qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/;
 
-                if (m/^-----($key|$msgpart|$msg)-----\s*$/o) {
+                if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) {
                     die "syntax error at line $.: Unexpected $1 header\n";
                 } else {
                     die "syntax error at line $.: Malformed PGP header\n";
@@ -475,7 +475,7 @@
                     # allow two paragraphs to merge.  Consider:
                     #
                     # Field-P1: some-value
-                    # -----BEGIN PGP SIGANTURE----
+                    # -----BEGIN PGP SIGNATURE-----
                     #
                     # Field-P2: another value
                     #
@@ -505,9 +505,9 @@
             # two paragraphs to merge.  Consider:
             #
             # Field-P1: some-value
-            # -----BEGIN PGP SIGANTURE----
+            # -----BEGIN PGP SIGNATURE-----
             # [...]
-            # -----END PGP SIGANTURE----
+            # -----END PGP SIGNATURE-----
             # Field-P2: another value
             #
             # At the time of writing: If $open_section is true, it

--- End Message ---

--- Begin Message ---

• To: Niels Thykier <niels@thykier.net>, 782556-done@bugs.debian.org
• Subject: Re: Bug#782556: unblock: lintian/2.5.30+deb8u4
• From: Ivo De Decker <ivodd@debian.org>
• Date: Tue, 14 Apr 2015 17:43:08 +0200
• Message-id: <20150414154308.GG17727@ugent.be>
• In-reply-to: <[🔎] 20150414062412.3979.24278.reportbug@mangetsu.thykier.net>
• References: <[🔎] 20150414062412.3979.24278.reportbug@mangetsu.thykier.net>

Hi,

On Tue, Apr 14, 2015 at 08:24:12AM +0200, Niels Thykier wrote:
> unblock lintian/2.5.30+deb8u4

Unblocked.

Cheers,

Ivo

--- End Message ---