Do not parse Status fields from remote sources

This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version.
author: Julian Andres Klode <jak@debian.org> 2015-08-21 18:00:37 +0200
committer: Julian Andres Klode <jak@debian.org> 2015-08-27 19:50:20 +0200
commit: 138e0ff0f39db21178515ebad4750088c281fcb1 (patch)
tree: 0d38113bc5a4cb5cc7f443ac25f64030838df1f4 /apt-pkg/deb/deblistparser.h
parent: da7cdbecff3128fb725b7fdef917d7df4a7dfaac (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/apt-pkg/deb/deblistparser.h b/apt-pkg/deb/deblistparser.h
index 3b6963211..257cac853 100644
--- a/apt-pkg/deb/deblistparser.h
+++ b/apt-pkg/deb/deblistparser.h
@@ -117,4 +117,11 @@ class debTranslationsParser : public debListParser
       : debListParser(File, Arch) {};
 };
 
+class APT_HIDDEN debStatusListParser : public debListParser
+{
+ public:
+   virtual bool ParseStatus(pkgCache::PkgIterator &Pkg,pkgCache::VerIterator &Ver);
+   debStatusListParser(FileFd *File)
+      : debListParser(File) {};
+};
 #endif
author	Julian Andres Klode <jak@debian.org>	2015-08-21 18:00:37 +0200
committer	Julian Andres Klode <jak@debian.org>	2015-08-27 19:50:20 +0200
commit	138e0ff0f39db21178515ebad4750088c281fcb1 (patch)
tree	0d38113bc5a4cb5cc7f443ac25f64030838df1f4 /apt-pkg/deb/deblistparser.h
parent	da7cdbecff3128fb725b7fdef917d7df4a7dfaac (diff)