apt-pkg/acquire-item.cc: Reject files known to be invalid (LP: #346386) (Closes: #195301)

This commit deals with the following cases:

  - First section of index file (Packages,Sources,Translation) without Package field
  - Signed release files without GPG data (NODATA)
  - i18n/Index files without hash sums

Handling unsigned Release files is more complicated, and the example code
using indexRecords is disabled as it can reject correct Release files
without hashes. How we can reliably check unsigned Release files is
another question, and not urgent anyway, as it should have no
dramatic effect (we could check that it is a valid RFC-822 section,
but that's a bit too long to write)

2 files changed, 47 insertions, 0 deletions

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 6785b4e1b..6df915d8e 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -271,6 +271,14 @@ void pkgAcqSubIndex::Done(string Message,unsigned long Size,string Md5Hash,	/*{{
 
    string FinalFile = _config->FindDir("Dir::State::lists")+URItoFileName(Desc.URI);
 
+   /* Downloaded invalid transindex => Error (LP: #346386) (Closes: #195301) */
+   indexRecords SubIndexParser;
+   if (FileExists(DestFile) == true && !SubIndexParser.Load(DestFile)) {
+      Status = StatError;
+      ErrorText = SubIndexParser.ErrorText;
+      return;
+   }
+
    // sucess in downloading the index
    // rename the index
    if(Debug)
@@ -894,6 +902,27 @@ void pkgAcqIndex::Done(string Message,unsigned long Size,string Hash,
 	 ReportMirrorFailure("HashChecksumFailure");
          return;
       }
+
+      /* Verify the index file for correctness (all indexes must
+       * have a Package field) (LP: #346386) (Closes: #195301) */
+      {
+	 FileFd fd(DestFile, FileFd::ReadOnly);
+	 pkgTagSection sec;
+	 pkgTagFile tag(&fd);
+
+	 if (_error->PendingError() || !tag.Step(sec)) {
+	    Status = StatError;
+	    _error->DumpErrors();
+	    Rename(DestFile,DestFile + ".FAILED");
+	    return;
+	 } else if (!sec.Exists("Package")) {
+	    Status = StatError;
+	    ErrorText = ("Encountered a section with no Package: header");
+	    Rename(DestFile,DestFile + ".FAILED");
+	    return;
+	 }
+      }
+       
       // Done, move it into position
       string FinalFile = _config->FindDir("Dir::State::lists");
       FinalFile += URItoFileName(RealURI);
@@ -1330,6 +1359,16 @@ void pkgAcqMetaIndex::AuthDone(string Message)				/*{{{*/
 									/*}}}*/
 void pkgAcqMetaIndex::QueueIndexes(bool verify)				/*{{{*/
 {
+#if 0
+   /* Reject invalid, existing Release files (LP: #346386) (Closes: #195301)
+    * FIXME: Disabled; it breaks unsigned repositories without hashes */
+   if (!verify && FileExists(DestFile) && !MetaIndexParser->Load(DestFile))
+   {
+      Status = StatError;
+      ErrorText = MetaIndexParser->ErrorText;
+      return;
+   }
+#endif
    for (vector <struct IndexTarget*>::const_iterator Target = IndexTargets->begin();
         Target != IndexTargets->end();
         Target++)
@@ -1493,6 +1532,12 @@ void pkgAcqMetaIndex::Failed(string Message,pkgAcquire::MethodConfig *Cnf)
 			 LookupTag(Message,"Message").c_str());
 	 RunScripts("APT::Update::Auth-Failure");
 	 return;
+      } else if (LookupTag(Message,"Message").find("NODATA") != string::npos) {
+	 /* Invalid signature file, reject (LP: #346386) (Closes: #195301) */
+	 _error->Error(_("GPG error: %s: %s"),
+			 Desc.Description.c_str(),
+			 LookupTag(Message,"Message").c_str());
+	 return;
       } else {
 	 _error->Warning(_("GPG error: %s: %s"),
 			 Desc.Description.c_str(),
diff --git a/debian/changelog b/debian/changelog
index 5f5e23eb1..b1d276d5d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ apt (0.8.15) UNRELEASED; urgency=low
   * apt-pkg/depcache.cc:
     - Really release action groups only once (Closes: #622744)
     - Make purge work again for config-files (LP: #244598) (Closes: #150831)
+  * apt-pkg/acquire-item.cc:
+    - Reject files known to be invalid (LP: #346386) (Closes: #195301)
   * debian/apt.cron.daily:
     - Check power after wait, patch by manuel-soto (LP: #705269)
   * debian/control: