Fix regression for cdrom: sources from latest security update

Skip a reverify for cdrom: sources. The reverify step is actually harmful here because the apt-cdrom add code uses the indexcopy.cc which will "normalize" the Packages file from the cdrom when it writes it to the local disk. This leads to changing the "MD5sum" field (notice the lower case "s") on the cdrom Packages file to a "MD5Sum" field on the local file in /var/lib/apt/lists. Which of course alters the hash and makes apt fail to reverify the file.
author: Michael Vogt <mvo@ubuntu.com> 2014-09-21 21:23:04 +0200
committer: Michael Vogt <mvo@ubuntu.com> 2014-09-21 21:23:04 +0200
commit: 801745284905e7962aa77a9f37a6b4e7fcdc19d0 (patch)
tree: 69c1fa5449b9fb91779398f2b3aa6128400537c1
parent: 2bd6be8ad24583ed9935f5c5d57c04ba7344111e (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 5df43726b..36c0fa567 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1141,6 +1141,12 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
    else
       Local = true;
 
+   // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
+   // file when its doing the indexcopy
+   if (RealURI.substr(0,6) == "cdrom:" &&
+       StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+      return;
+
    // The files timestamp matches, for non-local URLs reverify the local
    // file, for local file, uncompress again to ensure the hashsum is still
    // matching the Release file
author	Michael Vogt <mvo@ubuntu.com>	2014-09-21 21:23:04 +0200
committer	Michael Vogt <mvo@ubuntu.com>	2014-09-21 21:23:04 +0200
commit	801745284905e7962aa77a9f37a6b4e7fcdc19d0 (patch)
tree	69c1fa5449b9fb91779398f2b3aa6128400537c1
parent	2bd6be8ad24583ed9935f5c5d57c04ba7344111e (diff)