diff options
| -rw-r--r-- | apt-pkg/acquire-item.cc | 23 | ||||
| -rw-r--r-- | debian/changelog | 36 | ||||
| -rw-r--r-- | po/vi.po | 10 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-file | 34 |
4 files changed, 84 insertions, 19 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 058b8bf74..5df43726b 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1120,12 +1120,6 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, string FileName = LookupTag(Message,"Alt-Filename"); if (FileName.empty() == false) { - // The files timestamp matches - if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true) - { - ReverifyAfterIMS(FileName); - return; - } Decompression = true; Local = true; DestFile += ".decomp"; @@ -1142,18 +1136,19 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, ErrorText = "Method gave a blank filename"; } - // The files timestamp matches - if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) - { - ReverifyAfterIMS(FileName); - return; - } - if (FileName == DestFile) Erase = true; else Local = true; - + + // The files timestamp matches, for non-local URLs reverify the local + // file, for local file, uncompress again to ensure the hashsum is still + // matching the Release file + if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + { + ReverifyAfterIMS(FileName); + return; + } string decompProg; // If we enable compressed indexes, queue for hash verification diff --git a/debian/changelog b/debian/changelog index f8c56cf3d..7c4b4d31c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,39 @@ +apt (1.0.9.1ubuntu1) utopic; urgency=medium + + * merge fixes from debian/sid + + -- Michael Vogt <michael.vogt@ubuntu.com> Wed, 17 Sep 2014 22:17:38 +0200 + +apt (1.0.9.1) unstable; urgency=high + + [ Michael Vogt ] + * Allow override of Proxy-Auto-Detect by the users configuration + (Closes: 759264) + * fix ci autopkgtest + * fix regression from 1.0.9 when file:/// source are used and + those are on a different partition than the apt state directory + and add regression test + + [ Trần Ngọc Quân ] + * l10n: vi.po (636t): Update program translation + + [ Chris Leick ] + * Updated German documentation translation + + [ Mert Dirik ] + * Turkish program translation update (Closes: 761394) + + -- Michael Vogt <mvo@debian.org> Tue, 16 Sep 2014 20:52:25 +0200 + +apt (1.0.9) unstable; urgency=high + + * SECURITY UPDATE: + - incorrect invalidating of unauthenticated data (CVE-2014-0488) + - incorect verification of 304 reply (CVE-2014-0487) + - incorrect verification of Acquire::Gzip indexes (CVE-2014-0489) + + -- Michael Vogt <mvo@debian.org> Mon, 15 Sep 2014 08:34:46 +0200 + apt (1.0.8ubuntu3) utopic; urgency=low * fix autopkgtest @@ -6,10 +6,10 @@ # msgid "" msgstr "" -"Project-Id-Version: apt 1.0.6\n" +"Project-Id-Version: apt 1.0.8\n" "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n" "POT-Creation-Date: 2014-09-09 20:35+0200\n" -"PO-Revision-Date: 2014-07-24 14:58+0700\n" +"PO-Revision-Date: 2014-09-12 13:48+0700\n" "Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n" "Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n" "Language: vi\n" @@ -647,7 +647,7 @@ msgstr "" #: cmdline/apt-helper.cc:36 msgid "Need one URL as argument" -msgstr "" +msgstr "Cần một URL làm đối số" #: cmdline/apt-helper.cc:49 msgid "Must specify at least one pair url/filename" @@ -658,7 +658,6 @@ msgid "Download Failed" msgstr "Gặp lỗi khi tải về" #: cmdline/apt-helper.cc:80 -#, fuzzy msgid "" "Usage: apt-helper [options] command\n" " apt-helper [options] download-file uri target-path\n" @@ -678,6 +677,7 @@ msgstr "" "\n" "Các lệnh:\n" " download-file - tải về uri đã cho về đường-dẫn-đích\n" +" auto-detect-proxy - dò tìm proxy dùng apt.conf\n" "\n" " Lệnh trợ giúp APT này có Sức Mạnh của Siêu “Meep”.\n" @@ -1767,7 +1767,7 @@ msgid "%i package can be upgraded. Run 'apt list --upgradable' to see it.\n" msgid_plural "" "%i packages can be upgraded. Run 'apt list --upgradable' to see them.\n" msgstr[0] "" -"%i gói có thể được cập nhật. Chạy 'apt list --upgradable' để xem chúng.\n" +"%i gói có thể được cập nhật. Chạy “apt list --upgradable” để xem chúng.\n" #: apt-private/private-update.cc:94 msgid "All packages are up to date." diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file new file mode 100755 index 000000000..e267c71da --- /dev/null +++ b/test/integration/test-apt-update-file @@ -0,0 +1,34 @@ +#!/bin/sh +# +# Ensure that we do not modify file:/// uris (regression test for +# CVE-2014-0487 +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "amd64" +configcompression 'bz2' 'gz' + +insertpackage 'unstable' 'foo' 'all' '1.0' + +umask 022 +setupaptarchive --no-update + +# ensure the archive is not writable +chmod 550 aptarchive/dists/unstable/main/binary-amd64 + +testsuccess aptget update -qq +testsuccess aptget update -qq +aptget update -qq -o Debug::pkgAcquire::Auth=1 2> output.log + +# ensure that the hash of the uncompressed file was verified even on a local +# ims hit +canary="SHA512:$(bzcat aptarchive/dists/unstable/main/binary-amd64/Packages.bz2 | sha512sum |cut -f1 -d' ')" +grep -q "RecivedHash: $canary" output.log + + +# the cleanup should still work +chmod 750 aptarchive/dists/unstable/main/binary-amd64 |