Package: dpkg-dev Version: 1.13.22 Severity: wishlist Tags: patch I'm not sure what the subset of non-zero exit status that result after this bitshifting means (FWIW, the gpg manpage only makes distinction between zero and non-zero status), but it's clearly something we don't want. If gpg returns non-zero, it is a potential security issue and I think it should be treated as an unpack error.
Patch attached. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Versions of packages dpkg-dev depends on: ii binutils 2.17-2 The GNU assembler, linker and bina ii cpio 2.6-17 GNU cpio -- a program to manage ar ii dpkg 1.13.22 package maintenance system for Deb ii make 3.81-3 The GNU version of the "make" util ii patch 2.5.9-4 Apply a diff file to an original ii perl [perl5] 5.8.8-6.1 Larry Wall's Practical Extraction ii perl-modules 5.8.8-6.1 Core Perl modules Versions of packages dpkg-dev recommends: ii bzip2 1.0.3-6 high-quality block-sorting file co ii gcc [c-compiler] 4:4.1.1-7 The GNU C compiler ii gcc-3.4 [c-compiler] 3.4.6-4 The GNU C compiler ii gcc-4.0 [c-compiler] 4.0.3-7 The GNU C compiler ii gcc-4.1 [c-compiler] 4.1.1-13 The GNU C compiler -- no debconf information
--- /usr/bin/dpkg-source 2006-06-21 17:08:36.000000000 +0200 +++ ./dpkg-source 2006-09-30 10:20:58.000000000 +0200 @@ -624,11 +624,10 @@ $gpg_command = $gpg_command.quotemeta($dsc).' 2>&1'; my @gpg_output = `$gpg_command`; - my $gpg_status = $? >> 8; + my $gpg_status = $?; if ($gpg_status) { print STDERR join("",@gpg_output); - &error(sprintf(_g("failed to verify signature on %s"), $dsc)) - if ($gpg_status == 1); + &error(sprintf(_g("failed to verify signature on %s"), $dsc)); } } else { &warn(sprintf(_g("could not verify signature on %s since gpg isn't installed"), $dsc));