SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)

This fixes a security issue where signatures of the
InRelease files could be circumvented in a man-in-the-middle
attack, giving attackers the ability to serve any packages
they want to a system, in turn giving them root access.

It turns out that getline() may not only return EINVAL
as stated in the documentation - it might also return
in case of an error when allocating memory.

This fix not only adds a check that reading worked
correctly, it also implicitly checks that all writes
worked by reporting any other error that occurred inside
the loop and was logged by apt.

Affected: >= 0.9.8
Reported-By: Jann Horn <jannh@google.com>
Thanks: Jann Horn, Google Project Zero for reporting the issue
LP: #1647467

0 files changed, 0 insertions, 0 deletions