Do not parse Status fields from remote sources

This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version.
author: Julian Andres Klode <jak@debian.org> 2015-08-21 18:00:37 +0200
committer: Julian Andres Klode <jak@debian.org> 2015-08-27 19:50:20 +0200
commit: 138e0ff0f39db21178515ebad4750088c281fcb1 (patch)
tree: 0d38113bc5a4cb5cc7f443ac25f64030838df1f4 /apt-pkg/deb/debindexfile.cc
parent: da7cdbecff3128fb725b7fdef917d7df4a7dfaac (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/apt-pkg/deb/debindexfile.cc b/apt-pkg/deb/debindexfile.cc
index 5b4289e92..3b7939275 100644
--- a/apt-pkg/deb/debindexfile.cc
+++ b/apt-pkg/deb/debindexfile.cc
@@ -621,7 +621,7 @@ bool debStatusIndex::Merge(pkgCacheGenerator &Gen,OpProgress *Prog) const
    FileFd Pkg(File,FileFd::ReadOnly, FileFd::Extension);
    if (_error->PendingError() == true)
       return false;
-   debListParser Parser(&Pkg);
+   debStatusListParser Parser(&Pkg);
    if (_error->PendingError() == true)
       return false;
author	Julian Andres Klode <jak@debian.org>	2015-08-21 18:00:37 +0200
committer	Julian Andres Klode <jak@debian.org>	2015-08-27 19:50:20 +0200
commit	138e0ff0f39db21178515ebad4750088c281fcb1 (patch)
tree	0d38113bc5a4cb5cc7f443ac25f64030838df1f4 /apt-pkg/deb/debindexfile.cc
parent	da7cdbecff3128fb725b7fdef917d7df4a7dfaac (diff)