summaryrefslogtreecommitdiff
path: root/apt-pkg/acquire-item.cc
diff options
context:
space:
mode:
Diffstat (limited to 'apt-pkg/acquire-item.cc')
-rw-r--r--apt-pkg/acquire-item.cc16
1 files changed, 14 insertions, 2 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index d347efa54..913764f64 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1470,9 +1470,20 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash, /
}
else
{
+ // FIXME: move this into pkgAcqMetaClearSig::Done on the next
+ // ABI break
+
+ // if we expect a ClearTextSignature (InRelase), ensure that
+ // this is what we get and if not fail to queue a
+ // Release/Release.gpg, see #346386
+ if (SigFile == DestFile && !StartsWithGPGClearTextSignature(DestFile))
+ {
+ Failed(Message, Cfg);
+ return;
+ }
+
// There was a signature file, so pass it to gpgv for
// verification
-
if (_config->FindB("Debug::pkgAcquire::Auth", false))
std::cerr << "Metaindex acquired, queueing gpg verification ("
<< SigFile << "," << DestFile << ")\n";
@@ -2136,7 +2147,8 @@ void pkgAcqArchive::Done(string Message,unsigned long long Size,string CalcHash,
}
// Check the hash
- if(ExpectedHash.toStr() != CalcHash)
+ // FIXME: could this empty() check impose *any* sort of security issue?
+ if(ExpectedHash.empty() == false && ExpectedHash.toStr() != CalcHash)
{
RenameOnError(HashSumMismatch);
return;