summaryrefslogtreecommitdiff
path: root/apt-pkg/deb/deblistparser.cc
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2015-08-21 18:00:37 +0200
committerJulian Andres Klode <jak@debian.org>2015-08-27 19:50:20 +0200
commit138e0ff0f39db21178515ebad4750088c281fcb1 (patch)
tree0d38113bc5a4cb5cc7f443ac25f64030838df1f4 /apt-pkg/deb/deblistparser.cc
parentda7cdbecff3128fb725b7fdef917d7df4a7dfaac (diff)
Do not parse Status fields from remote sources
This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version.
Diffstat (limited to 'apt-pkg/deb/deblistparser.cc')
-rw-r--r--apt-pkg/deb/deblistparser.cc7
1 files changed, 6 insertions, 1 deletions
diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc
index 213235c2b..9b384cd4d 100644
--- a/apt-pkg/deb/deblistparser.cc
+++ b/apt-pkg/deb/deblistparser.cc
@@ -333,7 +333,7 @@ unsigned short debListParser::VersionHash()
return Result;
}
/*}}}*/
-// ListParser::ParseStatus - Parse the status field /*{{{*/
+// StatusListParser::ParseStatus - Parse the status field /*{{{*/
// ---------------------------------------------------------------------
/* Status lines are of the form,
Status: want flag status
@@ -345,6 +345,11 @@ unsigned short debListParser::VersionHash()
bool debListParser::ParseStatus(pkgCache::PkgIterator &Pkg,
pkgCache::VerIterator &Ver)
{
+ return true;
+}
+bool debStatusListParser::ParseStatus(pkgCache::PkgIterator &Pkg,
+ pkgCache::VerIterator &Ver)
+{
const char *Start;
const char *Stop;
if (Section.Find("Status",Start,Stop) == false)