From 1c73b0fc41c23a08994ef1464c529e0aacff16de Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 21 Aug 2015 18:00:37 +0200 Subject: Do not parse Status fields from remote sources This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version. --- apt-pkg/deb/debindexfile.cc | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'apt-pkg/deb/debindexfile.cc') diff --git a/apt-pkg/deb/debindexfile.cc b/apt-pkg/deb/debindexfile.cc index c43ee7b91..32ccd7529 100644 --- a/apt-pkg/deb/debindexfile.cc +++ b/apt-pkg/deb/debindexfile.cc @@ -145,6 +145,17 @@ uint8_t debStatusIndex::GetIndexFlags() const { return pkgCache::Flag::NotSource; } + +pkgCacheListParser * debStatusIndex::CreateListParser(FileFd &Pkg) +{ + if (Pkg.IsOpen() == false) + return NULL; + _error->PushToStack(); + pkgCacheListParser * const Parser = new debStatusListParser(&Pkg); + bool const newError = _error->PendingError(); + _error->MergeWithStack(); + return newError ? NULL : Parser; +} /*}}}*/ // DebPkgFile Index - a single .deb file as an index /*{{{*/ debDebPkgFileIndex::debDebPkgFileIndex(std::string const &DebFile) -- cgit v1.2.3