From b7a6594d1e5ed199a7a472b78b33e070375d6f92 Mon Sep 17 00:00:00 2001
From: Michael Vogt <egon@debian-devbox>
Date: Tue, 6 Mar 2012 17:22:44 +0100
Subject: * apt-pkg/acquire-item.cc:   - remove 'old' InRelease file if we
 can't get a new one before     proceeding with Release.gpg to avoid the false
 impression of a still     trusted repository by a (still present) old
 InRelease file.     Thanks to Simon Ruderich for reporting this issue!
 (CVE-2012-0214)

---
 apt-pkg/acquire-item.cc | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'apt-pkg/acquire-item.cc')

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 39ce90dda..eda45d7be 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1608,6 +1608,13 @@ void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*
 {
    if (AuthPass == false)
    {
+      // Remove the 'old' InRelease file if we try Release.gpg now as otherwise
+      // the file will stay around and gives a false-auth impression (CVE-2012-0214)
+      string FinalFile = _config->FindDir("Dir::State::lists");
+      FinalFile.append(URItoFileName(RealURI));
+      if (FileExists(FinalFile))
+	 unlink(FinalFile.c_str());
+
       new pkgAcqMetaSig(Owner,
 			MetaSigURI, MetaSigURIDesc, MetaSigShortDesc,
 			MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,
-- 
cgit v1.2.3