Package: dpkg-dev
Version: 1.13.22
Severity: wishlist
Tags: patch
I'm not sure what the subset of non-zero exit status that result after this
bitshifting means (FWIW, the gpg manpage only makes distinction between zero
and non-zero status), but it's clearly something we don't want. If gpg returns
non-zero, it is a potential security issue and I think it should be treated as
an unpack error.
Patch attached.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Versions of packages dpkg-dev depends on:
ii binutils 2.17-2 The GNU assembler, linker and bina
ii cpio 2.6-17 GNU cpio -- a program to manage ar
ii dpkg 1.13.22 package maintenance system for Deb
ii make 3.81-3 The GNU version of the "make" util
ii patch 2.5.9-4 Apply a diff file to an original
ii perl [perl5] 5.8.8-6.1 Larry Wall's Practical Extraction
ii perl-modules 5.8.8-6.1 Core Perl modules
Versions of packages dpkg-dev recommends:
ii bzip2 1.0.3-6 high-quality block-sorting file co
ii gcc [c-compiler] 4:4.1.1-7 The GNU C compiler
ii gcc-3.4 [c-compiler] 3.4.6-4 The GNU C compiler
ii gcc-4.0 [c-compiler] 4.0.3-7 The GNU C compiler
ii gcc-4.1 [c-compiler] 4.1.1-13 The GNU C compiler
-- no debconf information
--- /usr/bin/dpkg-source 2006-06-21 17:08:36.000000000 +0200
+++ ./dpkg-source 2006-09-30 10:20:58.000000000 +0200
@@ -624,11 +624,10 @@
$gpg_command = $gpg_command.quotemeta($dsc).' 2>&1';
my @gpg_output = `$gpg_command`;
- my $gpg_status = $? >> 8;
+ my $gpg_status = $?;
if ($gpg_status) {
print STDERR join("",@gpg_output);
- &error(sprintf(_g("failed to verify signature on %s"), $dsc))
- if ($gpg_status == 1);
+ &error(sprintf(_g("failed to verify signature on %s"), $dsc));
}
} else {
&warn(sprintf(_g("could not verify signature on %s since gpg isn't
installed"), $dsc));
