Bug#696234: apt: Signed Debian control block parsing can be fooled

To: submit@bugs.debian.org
Subject: Bug#696234: apt: Signed Debian control block parsing can be fooled
From: Guillem Jover <guillem@debian.org>
Date: Tue, 18 Dec 2012 14:33:44 +0100
Message-id: <[🔎] 20121218133344.GA618@gaara.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 696234@bugs.debian.org

Package: apt
Version: 0.9.7.7
Severity: normal
File: apt-pkg/indexcopy.cc, ftparchive/writer.cc
User: ansgar@debian.org
Usertags: gpg-clearsign

Hi!

The SigVerify::RunGPGV() function is too strict and will error out on
correct Armor Header Lines (as per RFC4880), those with trailing
whitespace. The function SourcesWriter::DoPackage() will not correctly
strip the PGP signature from the dsc if the Armor Header Line contains
trailing whitespace, it does not correctly handle OpenPGP blank lines
(those with only whitespaces), or surrounding non-signed "garbage".

Ansgar has been filing this kind of bugs, and pointed out to #695855,
although IMO the RFC is clear enough as to be able to implement this
in other places.

Thanks,
Guillem

Reply to:

Prev by Date: Bug#696225: apt: Progress output format problems on some locales
Next by Date: Bug#695633: apt: support explicitly named source packages with "src:foo"
Previous by thread: Bug#696225: apt: Progress output format problems on some locales
Next by thread: Bug#696335: exit-code 0 when apt-get update fails
Index(es):
- Date
- Thread