diff options
| author | Michael Vogt <michael.vogt@ubuntu.com> | 2012-03-06 17:53:30 +0100 |
|---|---|---|
| committer | Michael Vogt <michael.vogt@ubuntu.com> | 2012-03-06 17:53:30 +0100 |
| commit | 6b60ece0fe85ccd70ac6dcb63be7a9f9a4f55c7a (patch) | |
| tree | 4696bcdde0cd9e6ea7d6c2c390db635a0961b3ea /apt-pkg | |
| parent | d426e829eba77281d59a0e6ddef287b96052d531 (diff) | |
| parent | b7a6594d1e5ed199a7a472b78b33e070375d6f92 (diff) | |
* merged from the debian-sid branch, most notably:
- Correct fi translation for hash sum mismatches (LP: #420403)
- remove 'old' InRelease file if we can't get a new one before
proceeding with Release.gpg to avoid the false impression of a still
trusted repository by a (still present) old InRelease file.
Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
* apt-pkg/acquire-item.cc:
- remove 'old' InRelease file if we can't get a new one before
proceeding with Release.gpg to avoid the false impression of a still
trusted repository by a (still present) old InRelease file.
Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
* French: replace "étiquetage" by "épinglage" for "pinning"
Diffstat (limited to 'apt-pkg')
| -rw-r--r-- | apt-pkg/acquire-item.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index f231c42b4..6e6c35381 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1620,6 +1620,13 @@ void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /* { if (AuthPass == false) { + // Remove the 'old' InRelease file if we try Release.gpg now as otherwise + // the file will stay around and gives a false-auth impression (CVE-2012-0214) + string FinalFile = _config->FindDir("Dir::State::lists"); + FinalFile.append(URItoFileName(RealURI)); + if (FileExists(FinalFile)) + unlink(FinalFile.c_str()); + new pkgAcqMetaSig(Owner, MetaSigURI, MetaSigURIDesc, MetaSigShortDesc, MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc, |