summaryrefslogtreecommitdiff
path: root/apt-pkg
diff options
context:
space:
mode:
Diffstat (limited to 'apt-pkg')
-rw-r--r--apt-pkg/contrib/gpgv.cc18
1 files changed, 16 insertions, 2 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index 35d859849..d956eaf00 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -297,10 +297,24 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
}
if (found_signatures == 0 && statusfd != -1)
{
- // This is not an attack attempt but a file even gpgv would complain about
- // likely the result of a paywall which is covered by the gpgv method
auto const errtag = "[GNUPG:] NODATA\n";
FileFd::Write(fd[1], errtag, strlen(errtag));
+ // guess if this is a binary signature, we never officially supported them,
+ // but silently accepted them via passing them unchecked to gpgv
+ if (found_badcontent)
+ {
+ rewind(detached.get());
+ auto ptag = fgetc(detached.get());
+ // ยง4.2 says that the first bit is always set and gpg seems to generate
+ // only old format which is indicated by the second bit not set
+ if (ptag != EOF && (ptag & 0x80) != 0 && (ptag & 0x40) == 0)
+ {
+ apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' is in unsupported binary format", FileGPG.c_str());
+ local_exit(112);
+ }
+ }
+ // This is not an attack attempt but a file even gpgv would complain about
+ // likely the result of a paywall which is covered by the gpgv method
local_exit(113);
}
else if (found_badcontent)