From 1c73b0fc41c23a08994ef1464c529e0aacff16de Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Fri, 21 Aug 2015 18:00:37 +0200
Subject: Do not parse Status fields from remote sources

This could allow an attacker to mark a package as installed in a
remote package index, as long as the package was not listed in
the dpkg status file.

This way, an attacker could force the installation of a package
during a dist-upgrade, by providing two packages in an index,
an older marked as installed, and a newer - apt would "upgrade"
to the newer version.
---
 apt-pkg/deb/deblistparser.h | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'apt-pkg/deb/deblistparser.h')

diff --git a/apt-pkg/deb/deblistparser.h b/apt-pkg/deb/deblistparser.h
index 747e022d8..0884479db 100644
--- a/apt-pkg/deb/deblistparser.h
+++ b/apt-pkg/deb/deblistparser.h
@@ -119,4 +119,11 @@ class APT_HIDDEN debTranslationsParser : public debListParser
       : debListParser(File) {};
 };
 
+class APT_HIDDEN debStatusListParser : public debListParser
+{
+ public:
+   virtual bool ParseStatus(pkgCache::PkgIterator &Pkg,pkgCache::VerIterator &Ver);
+   debStatusListParser(FileFd *File)
+      : debListParser(File) {};
+};
 #endif
-- 
cgit v1.2.3