diff options
author | Michael Vogt <michael.vogt@ubuntu.com> | 2013-03-14 14:28:58 +0100 |
---|---|---|
committer | Michael Vogt <michael.vogt@ubuntu.com> | 2013-03-14 14:28:58 +0100 |
commit | ca18208fbda302b767c10bb567f90d7c6127db44 (patch) | |
tree | cda97d475aa06997e79543848de3608d8b7f4908 /apt-pkg/deb/debmetaindex.cc | |
parent | b748b3b36b9db249cf273698b9e4b7eaf9c1c41f (diff) |
* SECURITY UPDATE: InRelease verification bypass
- CVE-2013-1051
* apt-pkg/deb/debmetaindex.cc,
test/integration/test-bug-595691-empty-and-broken-archive-files,
test/integration/test-releasefile-verification:
- disable InRelease downloading until the verification issue is
fixed, thanks to Ansgar Burchardt for finding the flaw
Diffstat (limited to 'apt-pkg/deb/debmetaindex.cc')
-rw-r--r-- | apt-pkg/deb/debmetaindex.cc | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index bcc617da7..6c191fd95 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -236,16 +236,23 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description, (*Target)->ShortDesc, HashString()); } + + // this is normally created in pkgAcqMetaSig, but if we run + // in --print-uris mode, we add it here + new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"), + MetaIndexInfo("Release"), "Release", + MetaIndexURI("Release.gpg"), + ComputeIndexTargets(), + new indexRecords (Dist)); } - new pkgAcqMetaClearSig(Owner, MetaIndexURI("InRelease"), - MetaIndexInfo("InRelease"), "InRelease", - MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", - MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg", - ComputeIndexTargets(), - new indexRecords (Dist)); + new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"), + MetaIndexInfo("Release.gpg"), "Release.gpg", + MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", + ComputeIndexTargets(), + new indexRecords (Dist)); - return true; + return true; } void debReleaseIndex::SetTrusted(bool const Trusted) |