summaryrefslogtreecommitdiff
path: root/apt-pkg/deb/deblistparser.h
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2015-08-21 18:00:37 +0200
committerJulian Andres Klode <jak@debian.org>2015-08-21 19:34:02 +0200
commit130f34b7bc48bb05cc192ca6c66606fd99509b3e (patch)
treee57170b6cd02ab57ba635bfd6e9bf938ee9cc125 /apt-pkg/deb/deblistparser.h
parent990af3c952676eaa51ccd614ab2d4234693da397 (diff)
Do not parse Status fields from remote sources
This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version.
Diffstat (limited to 'apt-pkg/deb/deblistparser.h')
-rw-r--r--apt-pkg/deb/deblistparser.h7
1 files changed, 7 insertions, 0 deletions
diff --git a/apt-pkg/deb/deblistparser.h b/apt-pkg/deb/deblistparser.h
index db7afa73c..d479997a3 100644
--- a/apt-pkg/deb/deblistparser.h
+++ b/apt-pkg/deb/deblistparser.h
@@ -117,4 +117,11 @@ class debTranslationsParser : public debListParser
: debListParser(File, Arch) {};
};
+class APT_HIDDEN debStatusListParser : public debListParser
+{
+ public:
+ virtual bool ParseStatus(pkgCache::PkgIterator &Pkg,pkgCache::VerIterator &Ver);
+ debStatusListParser(FileFd *File)
+ : debListParser(File) {};
+};
#endif