summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/acquire-item.cc23
-rw-r--r--debian/changelog36
-rw-r--r--po/vi.po10
-rwxr-xr-xtest/integration/test-apt-update-file34
4 files changed, 84 insertions, 19 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 058b8bf74..5df43726b 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1120,12 +1120,6 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
string FileName = LookupTag(Message,"Alt-Filename");
if (FileName.empty() == false)
{
- // The files timestamp matches
- if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true)
- {
- ReverifyAfterIMS(FileName);
- return;
- }
Decompression = true;
Local = true;
DestFile += ".decomp";
@@ -1142,18 +1136,19 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
ErrorText = "Method gave a blank filename";
}
- // The files timestamp matches
- if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
- {
- ReverifyAfterIMS(FileName);
- return;
- }
-
if (FileName == DestFile)
Erase = true;
else
Local = true;
-
+
+ // The files timestamp matches, for non-local URLs reverify the local
+ // file, for local file, uncompress again to ensure the hashsum is still
+ // matching the Release file
+ if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+ {
+ ReverifyAfterIMS(FileName);
+ return;
+ }
string decompProg;
// If we enable compressed indexes, queue for hash verification
diff --git a/debian/changelog b/debian/changelog
index f8c56cf3d..7c4b4d31c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,39 @@
+apt (1.0.9.1ubuntu1) utopic; urgency=medium
+
+ * merge fixes from debian/sid
+
+ -- Michael Vogt <michael.vogt@ubuntu.com> Wed, 17 Sep 2014 22:17:38 +0200
+
+apt (1.0.9.1) unstable; urgency=high
+
+ [ Michael Vogt ]
+ * Allow override of Proxy-Auto-Detect by the users configuration
+ (Closes: 759264)
+ * fix ci autopkgtest
+ * fix regression from 1.0.9 when file:/// source are used and
+ those are on a different partition than the apt state directory
+ and add regression test
+
+ [ Trần Ngọc Quân ]
+ * l10n: vi.po (636t): Update program translation
+
+ [ Chris Leick ]
+ * Updated German documentation translation
+
+ [ Mert Dirik ]
+ * Turkish program translation update (Closes: 761394)
+
+ -- Michael Vogt <mvo@debian.org> Tue, 16 Sep 2014 20:52:25 +0200
+
+apt (1.0.9) unstable; urgency=high
+
+ * SECURITY UPDATE:
+ - incorrect invalidating of unauthenticated data (CVE-2014-0488)
+ - incorect verification of 304 reply (CVE-2014-0487)
+ - incorrect verification of Acquire::Gzip indexes (CVE-2014-0489)
+
+ -- Michael Vogt <mvo@debian.org> Mon, 15 Sep 2014 08:34:46 +0200
+
apt (1.0.8ubuntu3) utopic; urgency=low
* fix autopkgtest
diff --git a/po/vi.po b/po/vi.po
index 1100281eb..71dcfa553 100644
--- a/po/vi.po
+++ b/po/vi.po
@@ -6,10 +6,10 @@
#
msgid ""
msgstr ""
-"Project-Id-Version: apt 1.0.6\n"
+"Project-Id-Version: apt 1.0.8\n"
"Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
"POT-Creation-Date: 2014-09-09 20:35+0200\n"
-"PO-Revision-Date: 2014-07-24 14:58+0700\n"
+"PO-Revision-Date: 2014-09-12 13:48+0700\n"
"Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
"Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
"Language: vi\n"
@@ -647,7 +647,7 @@ msgstr ""
#: cmdline/apt-helper.cc:36
msgid "Need one URL as argument"
-msgstr ""
+msgstr "Cần một URL làm đối số"
#: cmdline/apt-helper.cc:49
msgid "Must specify at least one pair url/filename"
@@ -658,7 +658,6 @@ msgid "Download Failed"
msgstr "Gặp lỗi khi tải về"
#: cmdline/apt-helper.cc:80
-#, fuzzy
msgid ""
"Usage: apt-helper [options] command\n"
" apt-helper [options] download-file uri target-path\n"
@@ -678,6 +677,7 @@ msgstr ""
"\n"
"Các lệnh:\n"
" download-file - tải về uri đã cho về đường-dẫn-đích\n"
+" auto-detect-proxy - dò tìm proxy dùng apt.conf\n"
"\n"
" Lệnh trợ giúp APT này có Sức Mạnh của Siêu “Meep”.\n"
@@ -1767,7 +1767,7 @@ msgid "%i package can be upgraded. Run 'apt list --upgradable' to see it.\n"
msgid_plural ""
"%i packages can be upgraded. Run 'apt list --upgradable' to see them.\n"
msgstr[0] ""
-"%i gói có thể được cập nhật. Chạy 'apt list --upgradable' để xem chúng.\n"
+"%i gói có thể được cập nhật. Chạy “apt list --upgradable” để xem chúng.\n"
#: apt-private/private-update.cc:94
msgid "All packages are up to date."
diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file
new file mode 100755
index 000000000..e267c71da
--- /dev/null
+++ b/test/integration/test-apt-update-file
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# Ensure that we do not modify file:/// uris (regression test for
+# CVE-2014-0487
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "amd64"
+configcompression 'bz2' 'gz'
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+umask 022
+setupaptarchive --no-update
+
+# ensure the archive is not writable
+chmod 550 aptarchive/dists/unstable/main/binary-amd64
+
+testsuccess aptget update -qq
+testsuccess aptget update -qq
+aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log
+
+# ensure that the hash of the uncompressed file was verified even on a local
+# ims hit
+canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')"
+grep -q "RecivedHash: $canary" output.log
+
+
+# the cleanup should still work
+chmod 750 aptarchive/dists/unstable/main/binary-amd64