summaryrefslogtreecommitdiff
path: root/apt-pkg/deb
diff options
context:
space:
mode:
authorMichael Vogt <michael.vogt@ubuntu.com>2013-03-14 14:28:58 +0100
committerMichael Vogt <michael.vogt@ubuntu.com>2013-03-14 14:28:58 +0100
commitca18208fbda302b767c10bb567f90d7c6127db44 (patch)
treecda97d475aa06997e79543848de3608d8b7f4908 /apt-pkg/deb
parentb748b3b36b9db249cf273698b9e4b7eaf9c1c41f (diff)
* SECURITY UPDATE: InRelease verification bypass
- CVE-2013-1051 * apt-pkg/deb/debmetaindex.cc, test/integration/test-bug-595691-empty-and-broken-archive-files, test/integration/test-releasefile-verification: - disable InRelease downloading until the verification issue is fixed, thanks to Ansgar Burchardt for finding the flaw
Diffstat (limited to 'apt-pkg/deb')
-rw-r--r--apt-pkg/deb/debmetaindex.cc21
1 files changed, 14 insertions, 7 deletions
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index bcc617da7..6c191fd95 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -236,16 +236,23 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const
new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description,
(*Target)->ShortDesc, HashString());
}
+
+ // this is normally created in pkgAcqMetaSig, but if we run
+ // in --print-uris mode, we add it here
+ new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
+ MetaIndexInfo("Release"), "Release",
+ MetaIndexURI("Release.gpg"),
+ ComputeIndexTargets(),
+ new indexRecords (Dist));
}
- new pkgAcqMetaClearSig(Owner, MetaIndexURI("InRelease"),
- MetaIndexInfo("InRelease"), "InRelease",
- MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
- MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg",
- ComputeIndexTargets(),
- new indexRecords (Dist));
+ new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
+ MetaIndexInfo("Release.gpg"), "Release.gpg",
+ MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
+ ComputeIndexTargets(),
+ new indexRecords (Dist));
- return true;
+ return true;
}
void debReleaseIndex::SetTrusted(bool const Trusted)