summaryrefslogtreecommitdiff
path: root/apt-pkg/deb/debindexfile.h
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2015-08-21 18:00:37 +0200
committerJulian Andres Klode <jak@debian.org>2015-08-27 14:51:47 +0200
commit1c73b0fc41c23a08994ef1464c529e0aacff16de (patch)
tree1cbbd50cdf9849b96081a38375f6014f4701cdae /apt-pkg/deb/debindexfile.h
parentf19d6a77f60b876e5453614d24886aabdd242ef6 (diff)
Do not parse Status fields from remote sources
This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version.
Diffstat (limited to 'apt-pkg/deb/debindexfile.h')
-rw-r--r--apt-pkg/deb/debindexfile.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/apt-pkg/deb/debindexfile.h b/apt-pkg/deb/debindexfile.h
index dc75a01ab..5bec4f2ea 100644
--- a/apt-pkg/deb/debindexfile.h
+++ b/apt-pkg/deb/debindexfile.h
@@ -43,6 +43,8 @@ public:
// Abort if the file does not exist.
virtual bool Exists() const APT_OVERRIDE {return true;};
+ virtual pkgCacheListParser * CreateListParser(FileFd &Pkg) APT_OVERRIDE;
+
debStatusIndex(std::string const &File);
virtual ~debStatusIndex();
};