Bug#696234: apt: Signed Debian control block parsing can be fooled
Package: apt
Version: 0.9.7.7
Severity: normal
File: apt-pkg/indexcopy.cc, ftparchive/writer.cc
User: ansgar@debian.org
Usertags: gpg-clearsign
Hi!
The SigVerify::RunGPGV() function is too strict and will error out on
correct Armor Header Lines (as per RFC4880), those with trailing
whitespace. The function SourcesWriter::DoPackage() will not correctly
strip the PGP signature from the dsc if the Armor Header Line contains
trailing whitespace, it does not correctly handle OpenPGP blank lines
(those with only whitespaces), or surrounding non-signed "garbage".
Ansgar has been filing this kind of bugs, and pointed out to #695855,
although IMO the RFC is clear enough as to be able to implement this
in other places.
Thanks,
Guillem
Reply to: