This is an automated email from the git hooks/post-receive script. nthykier pushed a commit to branch jessie in repository lintian.
commit d816cc02dfedb9a7d37c5736ad67e8b024d6139a Author: Niels Thykier <[email protected]> Date: Thu Apr 9 22:03:01 2015 +0200 L::Util: Only allow [ \r\t] in GPG lines This is fundamentally the same issue that dpkg has (CVE-2015-0840). The major exception being Lintian never made attempts to validate the signature and therefore it is less problematic that it can be "tricked". Signed-off-by: Niels Thykier <[email protected]> Conflicts: debian/changelog --- debian/changelog | 9 +++++++++ lib/Lintian/Util.pm | 14 +++++++------- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 72f59e6..9adcee3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +lintian (2.5.30+deb8u4) UNRELEASED; urgency=medium + + * lib/Lintian/Util.pm: + + [NT] Stricten the permitted whitespace at the end of GPG + marker lines. This is the same issue as CVE-2015-0840, + except lintian never attempted to validate the signature. + + -- Niels Thykier <[email protected]> Thu, 09 Apr 2015 22:06:48 +0200 + lintian (2.5.30+deb8u3) unstable; urgency=medium * helpers/coll/objdump-info-helper: diff --git a/lib/Lintian/Util.pm b/lib/Lintian/Util.pm index 2b5936d..c09de75 100644 --- a/lib/Lintian/Util.pm +++ b/lib/Lintian/Util.pm @@ -412,7 +412,7 @@ sub visit_dpkg_paragraph { # According to http://tools.ietf.org/html/rfc4880#section-6.2 # The header MUST start at the beginning of the line and MUST NOT have # any other text (except whitespace) after the header. - elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/) + elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/) { # skip until end of signature my $saw_end = 0; if (not $signed or $signature) { @@ -426,7 +426,7 @@ sub visit_dpkg_paragraph { } $signature = $.; while (<$CONTROL>) { - if (m/^-----END PGP SIGNATURE-----\s*$/o) { + if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) { $saw_end = 1; last; } @@ -450,7 +450,7 @@ sub visit_dpkg_paragraph { # - Valid, but we don't support partial messages, so # bail on those. - unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) { + unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) { # Not a (full) PGP MESSAGE; reject. my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/; @@ -458,7 +458,7 @@ sub visit_dpkg_paragraph { my $msg = qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/; - if (m/^-----($key|$msgpart|$msg)-----\s*$/o) { + if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) { die "syntax error at line $.: Unexpected $1 header\n"; } else { die "syntax error at line $.: Malformed PGP header\n"; @@ -475,7 +475,7 @@ sub visit_dpkg_paragraph { # allow two paragraphs to merge. Consider: # # Field-P1: some-value - # -----BEGIN PGP SIGANTURE---- + # -----BEGIN PGP SIGNATURE----- # # Field-P2: another value # @@ -505,9 +505,9 @@ sub visit_dpkg_paragraph { # two paragraphs to merge. Consider: # # Field-P1: some-value - # -----BEGIN PGP SIGANTURE---- + # -----BEGIN PGP SIGNATURE----- # [...] - # -----END PGP SIGANTURE---- + # -----END PGP SIGNATURE----- # Field-P2: another value # # At the time of writing: If $open_section is true, it -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
