Bug#695919: marked as done (dpkg-source --require-valid-signature can be tricked)

Debian Bug Tracking System Sun, 17 Mar 2013 23:03:46 -0700

Your message dated Mon, 18 Mar 2013 06:02:37 +0000
with message-id <[email protected]>
and subject line Bug#695919: fixed in dpkg 1.16.10
has caused the Debian Bug report #695919,
regarding dpkg-source --require-valid-signature can be tricked
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
695919: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695919
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: dpkg-dev
Version: 1.16.9
Severity: important
File: /usr/bin/dpkg-source

dpkg-source --require-valid-signature -x gnupg_1.4.12-6.dsc with the attached
dsc file will process the gnupg part of the dsc. This is however not covered by
the signature.

This happens as Dpkg::Control::Hash skips until an empty line:

   145          } elsif (m/^-----BEGIN PGP SIGNED MESSAGE/) {
   146              $expect_pgp_sig = 1;
   147              if ($$self->{'allow_pgp'}) {
   148                  # Skip PGP headers
   149                  while (<$fh>) {
   150                      last if m/^$/;
   151                  }

However one can add trailing whitespace without breaking the signature causing
the code to skip until the second section.

See also #695855.

Ansgar

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dpkg-dev depends on:
ii  base-files    7.0
ii  binutils      2.22-7.1
ii  bzip2         1.0.6-4
ii  libdpkg-perl  1.16.9
ii  make          3.81-8.2
ii  patch         2.6.1-3
ii  xz-utils      5.1.1alpha+20120614-2

Versions of packages dpkg-dev recommends:
ii  build-essential          11.5
ii  clang [c-compiler]       3.1-8
ii  fakeroot                 1.18.4-2
ii  gcc [c-compiler]         4:4.7.2-1
ii  gcc-4.6 [c-compiler]     4.6.3-14
ii  gcc-4.7 [c-compiler]     4.7.2-4
ii  gnupg                    1.4.12-6
ii  gpgv                     1.4.12-6
ii  libalgorithm-merge-perl  0.08-2

Versions of packages dpkg-dev suggests:
ii  debian-keyring  2012.11.15

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: dpkg
Source-Version: 1.16.10

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Mar 2013 04:41:26 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.10
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 691954 692100 695919 698530 698869 700978 702627
Changes: 
 dpkg (1.16.10) unstable; urgency=low
 .
   [ Guillem Jover ]
   * Fix typos in 1.16.9 changelog entry. Closes: #691954
     Thanks to Nicolás Alvarez <[email protected]>.
   * Add missing @LIBLZMA_LIBS@ to Libs.Private in libdpkg.pc.in.
   * Do not use an undefined va_list variable in dpkg_put_errno().
   * Abort installation if we cannot set the security context for a file.
   * Fix OpenPGP armored signature parsing, to be resilient against doctored
     input, including source package control files. Closes: #695919
   * Make sure the OpenGPG armor contains a signature block, even on EOF.
   * Do not accept Armor Header Lines inside a paragraph.
   * Do not abort dselect when multiarch is detected, as that only makes
     users downgrade and hold on an older version w/ worse multiarch support.
   * Fix warning in Dpkg::Source::Archive with «perl -w» due to redefinition
     of getcwd() by removing unused POSIX modules usage. Closes: #700978
 .
   [ Updated programs translations ]
   * Esperanto (Felipe Castro).
   * Spanish (Javier Fernández-Sanguino).
   * Vietnamesea (Trần Ngọc Quân). Closes: #692100
 .
   [ Updated scripts translations ]
   * Fix mistranslation in French translation of scripts.
     Thanks to Filipus Klutiero. Closes: #698530
   * Fix typos in French translation of scripts.
     Thanks to Sylvestre Ledru. Closes: #702627
   * Fix Russian translation (wrong order of parameters in a string).
     Thanks to Andrey Rahmatullin for noticing and Yuri Kozlov for fixing
     the translation. Closes: #698869
Checksums-Sha1: 
 fcfa418214ff0cef8e3d38e5865b2f274dde8fce 1376 dpkg_1.16.10.dsc
 bd67ce10236a674a2349d13feaa096b41fea4c9c 3703340 dpkg_1.16.10.tar.xz
 ae0f8e994ab0f343057e39ade0631fa3904f1ff1 687604 libdpkg-dev_1.16.10_amd64.deb
 83a6ef8dbc2b15dda40f37cd1c422aa195eb8175 2598882 dpkg_1.16.10_amd64.deb
 5ff356e79e1cbd225452d5b8d798b5c37dc58a6e 1142040 dselect_1.16.10_amd64.deb
 4eaa7179a221b85332f32fb6546e31298729674e 1287906 dpkg-dev_1.16.10_all.deb
 c797bcc3b4dfd0e99ba579405f5c8093be744265 949042 libdpkg-perl_1.16.10_all.deb
Checksums-Sha256: 
 a9f4a416b4c3625bba1822504d5ffeef9f5ca090eb789883933dafa608d98b29 1376 
dpkg_1.16.10.dsc
 aeaacf0884039940d9463901102194f9a42eb5702157b9e7a23f43e0d9f65cf2 3703340 
dpkg_1.16.10.tar.xz
 83e033b6bb591eb7835e1746e0e8b0c60f7314f266fb1886bab0ec93773288e3 687604 
libdpkg-dev_1.16.10_amd64.deb
 a00242cb77303bbccd9a9c96ba17924c105adf2c19be5548202b334a1cc3fb8b 2598882 
dpkg_1.16.10_amd64.deb
 300a1fb80fa7987d55bd3e10a04c0983e543d48c0d6a20fd82042f9684eb63f3 1142040 
dselect_1.16.10_amd64.deb
 1c57f637aca1ec194484b6d37e14ec41257a220229173c0eb938b7cbb67ad309 1287906 
dpkg-dev_1.16.10_all.deb
 a39500d48c0ce592ebde4f34b19c91a0f5bc20c8576ba7f2f7b74c2ca0b06516 949042 
libdpkg-perl_1.16.10_all.deb
Files: 
 f6868ea4fdbd78b8937f0d305c7a644a 1376 admin required dpkg_1.16.10.dsc
 a20a06a5272717274a8b009368f237da 3703340 admin required dpkg_1.16.10.tar.xz
 0d075ec18ab62b2303422a4efb5fcb43 687604 libdevel optional 
libdpkg-dev_1.16.10_amd64.deb
 931c8ab1765c390cf1ec6c691b228708 2598882 admin required dpkg_1.16.10_amd64.deb
 b2f5cff086823b1a0bcd4f4ea3a0429e 1142040 admin optional 
dselect_1.16.10_amd64.deb
 945bd89efced56aa04ef26400083c809 1287906 utils optional 
dpkg-dev_1.16.10_all.deb
 3eff423fff1fa381a19ce5661cde29aa 949042 perl optional 
libdpkg-perl_1.16.10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFGrDcACgkQuW9ciZ2SjJsp4wCfTB5YzDbEs+9pLqqddDNtptqs
G4IAniTPuKTtDYcJgZAMiByzbGfDSXW8
=a8GZ
-----END PGP SIGNATURE-----

--- End Message ---

Bug#695919: marked as done (dpkg-source --require-valid-signature can be tricked)

Reply via email to