From daff4aa356128310f022370f7825bdc369c66ba8 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 17 Sep 2014 14:57:05 +0200 Subject: Fix regression for file:/// uris from CVE-2014-0487 Do not run ReverifyAfterIMS() for local file URIs as this will causes apt to mess around in the file:/// uri space. This is wrong in itself, but it will also cause a incorrect verification failure when the archive and the lists directory are on different partitions as rename(). --- apt-pkg/acquire-item.cc | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 058b8bf74..2ced65aa2 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1120,12 +1120,6 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, string FileName = LookupTag(Message,"Alt-Filename"); if (FileName.empty() == false) { - // The files timestamp matches - if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true) - { - ReverifyAfterIMS(FileName); - return; - } Decompression = true; Local = true; DestFile += ".decomp"; @@ -1142,18 +1136,18 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash, ErrorText = "Method gave a blank filename"; } + if (FileName == DestFile) + Erase = true; + else + Local = true; + // The files timestamp matches - if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) { ReverifyAfterIMS(FileName); return; } - if (FileName == DestFile) - Erase = true; - else - Local = true; - string decompProg; // If we enable compressed indexes, queue for hash verification -- cgit v1.2.3