diff options
| author | Julian Andres Klode <jak@debian.org> | 2015-08-21 18:00:37 +0200 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2015-08-27 14:51:47 +0200 |
| commit | 1c73b0fc41c23a08994ef1464c529e0aacff16de (patch) | |
| tree | 1cbbd50cdf9849b96081a38375f6014f4701cdae /apt-pkg/deb/deblistparser.cc | |
| parent | f19d6a77f60b876e5453614d24886aabdd242ef6 (diff) | |
Do not parse Status fields from remote sources
This could allow an attacker to mark a package as installed in a
remote package index, as long as the package was not listed in
the dpkg status file.
This way, an attacker could force the installation of a package
during a dist-upgrade, by providing two packages in an index,
an older marked as installed, and a newer - apt would "upgrade"
to the newer version.
Diffstat (limited to 'apt-pkg/deb/deblistparser.cc')
| -rw-r--r-- | apt-pkg/deb/deblistparser.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc index 42eca8677..d88e25e6f 100644 --- a/apt-pkg/deb/deblistparser.cc +++ b/apt-pkg/deb/deblistparser.cc @@ -362,7 +362,7 @@ unsigned short debListParser::VersionHash() return Result; } /*}}}*/ -// ListParser::ParseStatus - Parse the status field /*{{{*/ +// StatusListParser::ParseStatus - Parse the status field /*{{{*/ // --------------------------------------------------------------------- /* Status lines are of the form, Status: want flag status @@ -374,6 +374,11 @@ unsigned short debListParser::VersionHash() bool debListParser::ParseStatus(pkgCache::PkgIterator &Pkg, pkgCache::VerIterator &Ver) { + return true; +} +bool debStatusListParser::ParseStatus(pkgCache::PkgIterator &Pkg, + pkgCache::VerIterator &Ver) +{ const char *Start; const char *Stop; if (Section.Find("Status",Start,Stop) == false) |