This is an automated email from the git hooks/post-receive script. nthykier pushed a commit to branch master in repository lintian.
commit e30e9ac41321482456ffc2cfa38d3039e1ffb73e Author: Niels Thykier <[email protected]> Date: Thu Apr 9 22:03:01 2015 +0200 L::Util: Only allow [ \r\t] in GPG lines This is fundamentally the same issue that dpkg has (CVE-2015-0840). The major exception being Lintian never made attempts to validate the signature and therefore it is less problematic that it can be "tricked". Signed-off-by: Niels Thykier <[email protected]> --- debian/changelog | 3 +++ lib/Lintian/Util.pm | 14 +++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 671825c..747e1a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -149,6 +149,9 @@ lintian (2.5.31) UNRELEASED; urgency=medium * lib/Lintian/Util.pm: + [NT] Prefer dpkg-deb --ctrl-tarfile to "ar p" when dpkg is recent enough. + + [NT] Stricten the permitted whitespace at the end of GPG + marker lines. This is the same issue as CVE-2015-0840, + except lintian never attempted to validate the signature. * profiles/ubuntu/main.profile: + [BR] Exclude no-human-maintainers (Closes: #769036). diff --git a/lib/Lintian/Util.pm b/lib/Lintian/Util.pm index eff4a6d..817b8d0 100644 --- a/lib/Lintian/Util.pm +++ b/lib/Lintian/Util.pm @@ -416,7 +416,7 @@ sub visit_dpkg_paragraph { # According to http://tools.ietf.org/html/rfc4880#section-6.2 # The header MUST start at the beginning of the line and MUST NOT have # any other text (except whitespace) after the header. - elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/) + elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/) { # skip until end of signature my $saw_end = 0; if (not $signed or $signature) { @@ -430,7 +430,7 @@ sub visit_dpkg_paragraph { } $signature = $.; while (<$CONTROL>) { - if (m/^-----END PGP SIGNATURE-----\s*$/o) { + if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) { $saw_end = 1; last; } @@ -454,7 +454,7 @@ sub visit_dpkg_paragraph { # - Valid, but we don't support partial messages, so # bail on those. - unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) { + unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) { # Not a (full) PGP MESSAGE; reject. my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/; @@ -462,7 +462,7 @@ sub visit_dpkg_paragraph { my $msg = qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/; - if (m/^-----($key|$msgpart|$msg)-----\s*$/o) { + if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) { die "syntax error at line $.: Unexpected $1 header\n"; } else { die "syntax error at line $.: Malformed PGP header\n"; @@ -479,7 +479,7 @@ sub visit_dpkg_paragraph { # allow two paragraphs to merge. Consider: # # Field-P1: some-value - # -----BEGIN PGP SIGANTURE---- + # -----BEGIN PGP SIGNATURE----- # # Field-P2: another value # @@ -509,9 +509,9 @@ sub visit_dpkg_paragraph { # two paragraphs to merge. Consider: # # Field-P1: some-value - # -----BEGIN PGP SIGANTURE---- + # -----BEGIN PGP SIGNATURE----- # [...] - # -----END PGP SIGANTURE---- + # -----END PGP SIGNATURE----- # Field-P2: another value # # At the time of writing: If $open_section is true, it -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
