[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Ubuntu dpkg 1.17.24ubuntu2



This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
changes.  It contains the difference between the new version and the
previous version of the same source package in Ubuntu.
Format: 1.8
Date: Thu, 09 Apr 2015 11:41:14 -0400
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source
Version: 1.17.24ubuntu2
Distribution: vivid
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Changes: 
 dpkg (1.17.24ubuntu2) vivid; urgency=medium
 .
   * SECURITY UPDATE: OpenPGP Armor Header Line parsing issue
     - scripts/Dpkg/Control/HashCore.pm: adjust whitespace parsing.
     - scripts/Makefile.*, scripts/t/Dpkg_Control.t,
       scripts/t/Dpkg_Control/bogus-armor-formfeed.dsc: added tests.
     - Patch thanks to Guillem Jover
     - CVE-2015-0840
Checksums-Sha1: 
 03e25792a44c7d5251338011fad1d83fa2327821 2125 dpkg_1.17.24ubuntu2.dsc
 7a3c0e2d429daf78da22ac686c28ee695ba169dc 4386316 dpkg_1.17.24ubuntu2.tar.xz
Checksums-Sha256: 
 17de89af5d0f87878377e53ae8830e9502345453fdd2a322860f062fd318fd05 2125 dpkg_1.17.24ubuntu2.dsc
 4a92c83bd65ed22f6ab1f68504d1bc97bbe1f43024aa9c399eecd3f190bb1c90 4386316 dpkg_1.17.24ubuntu2.tar.xz
Files: 
 75a3ca21acfbd3f9b993644305d06dad 2125 admin required dpkg_1.17.24ubuntu2.dsc
 05d3d5169800f65ea04e6d03c6d2c960 4386316 admin required dpkg_1.17.24ubuntu2.tar.xz
Original-Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
diff -pruN 1.17.24ubuntu1/debian/changelog 1.17.24ubuntu2/debian/changelog
--- 1.17.24ubuntu1/debian/changelog	2015-03-21 04:30:40.000000000 +0000
+++ 1.17.24ubuntu2/debian/changelog	2015-04-09 15:41:58.000000000 +0000
@@ -1,3 +1,14 @@
+dpkg (1.17.24ubuntu2) vivid; urgency=medium
+
+  * SECURITY UPDATE: OpenPGP Armor Header Line parsing issue
+    - scripts/Dpkg/Control/HashCore.pm: adjust whitespace parsing.
+    - scripts/Makefile.*, scripts/t/Dpkg_Control.t,
+      scripts/t/Dpkg_Control/bogus-armor-formfeed.dsc: added tests.
+    - Patch thanks to Guillem Jover
+    - CVE-2015-0840
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 09 Apr 2015 11:41:14 -0400
+
 dpkg (1.17.24ubuntu1) vivid; urgency=medium
 
   * Merge with Debian unstable, which pulls in bugfixes, and disables
diff -pruN 1.17.24ubuntu1/scripts/Dpkg/Control/HashCore.pm 1.17.24ubuntu2/scripts/Dpkg/Control/HashCore.pm
--- 1.17.24ubuntu1/scripts/Dpkg/Control/HashCore.pm	2015-02-22 20:04:13.000000000 +0000
+++ 1.17.24ubuntu2/scripts/Dpkg/Control/HashCore.pm	2015-04-09 15:41:26.000000000 +0000
@@ -196,8 +196,8 @@ sub parse {
     local $_;
 
     while (<$fh>) {
-	s/\s*\n$//;
-	next if length == 0 and $paraborder;
+	chomp;
+	next if m/^\s*$/ and $paraborder;
 	next if (m/^#/);
 	$paraborder = 0;
 	if (m/^(\S+?)\s*:\s*(.*)$/) {
@@ -211,6 +211,7 @@ sub parse {
 		    $self->parse_error($desc, _g('duplicate field %s found'), $name);
 		}
 	    }
+	    $value =~ s/\s*$//;
 	    $self->{$name} = $value;
 	    $cf = $name;
 	} elsif (m/^\s(\s*\S.*)$/) {
@@ -221,8 +222,9 @@ sub parse {
 	    if ($line =~ /^\.+$/) {
 		$line = substr $line, 1;
 	    }
+	    $line =~ s/\s*$//;
 	    $self->{$cf} .= "\n$line";
-	} elsif (m/^-----BEGIN PGP SIGNED MESSAGE-----$/) {
+	} elsif (m/^-----BEGIN PGP SIGNED MESSAGE-----[\r\t ]*$/) {
 	    $expect_pgp_sig = 1;
 	    if ($$self->{allow_pgp} and not $parabody) {
 		# Skip OpenPGP headers
@@ -232,7 +234,8 @@ sub parse {
 	    } else {
 		$self->parse_error($desc, _g('OpenPGP signature not allowed here'));
 	    }
-	} elsif (length == 0 || ($expect_pgp_sig && m/^-----BEGIN PGP SIGNATURE-----$/)) {
+	} elsif (m/^\s*$/ ||
+	         ($expect_pgp_sig && m/^-----BEGIN PGP SIGNATURE-----[\r\t ]*$/)) {
 	    if ($expect_pgp_sig) {
 		# Skip empty lines
 		$_ = <$fh> while defined && m/^\s*$/;
@@ -240,15 +243,15 @@ sub parse {
 		    $self->parse_error($desc, _g('expected OpenPGP signature, ' .
 		                                 'found EOF after blank line'));
 		}
-		s/\s*\n$//;
-		unless (m/^-----BEGIN PGP SIGNATURE-----$/) {
+		chomp;
+		unless (m/^-----BEGIN PGP SIGNATURE-----[\r\t ]*$/) {
 		    $self->parse_error($desc, _g('expected OpenPGP signature, ' .
 		                                 "found something else \`%s'"), $_);
                 }
 		# Skip OpenPGP signature
 		while (<$fh>) {
-		    s/\s*\n$//;
-		    last if m/^-----END PGP SIGNATURE-----$/;
+		    chomp;
+		    last if m/^-----END PGP SIGNATURE-----[\r\t ]*$/;
 		}
 		unless (defined) {
 		    $self->parse_error($desc, _g('unfinished OpenPGP signature'));
diff -pruN 1.17.24ubuntu1/scripts/Makefile.am 1.17.24ubuntu2/scripts/Makefile.am
--- 1.17.24ubuntu1/scripts/Makefile.am	2015-02-22 20:04:13.000000000 +0000
+++ 1.17.24ubuntu2/scripts/Makefile.am	2015-04-09 15:41:26.000000000 +0000
@@ -272,6 +272,7 @@ test_data = \
 	t/Dpkg_Control/control-1 \
 	t/Dpkg_Control/bogus-unsigned.dsc \
 	t/Dpkg_Control/bogus-armor-double.dsc \
+	t/Dpkg_Control/bogus-armor-formfeed.dsc \
 	t/Dpkg_Control/bogus-armor-no-sig.dsc \
 	t/Dpkg_Control/bogus-armor-trail.dsc \
 	t/Dpkg_Control/bogus-armor-inline.dsc \
diff -pruN 1.17.24ubuntu1/scripts/Makefile.in 1.17.24ubuntu2/scripts/Makefile.in
--- 1.17.24ubuntu1/scripts/Makefile.in	2015-02-22 21:56:25.000000000 +0000
+++ 1.17.24ubuntu2/scripts/Makefile.in	2015-04-09 15:42:35.000000000 +0000
@@ -612,6 +612,7 @@ test_data = \
 	t/Dpkg_Control/control-1 \
 	t/Dpkg_Control/bogus-unsigned.dsc \
 	t/Dpkg_Control/bogus-armor-double.dsc \
+	t/Dpkg_Control/bogus-armor-formfeed.dsc \
 	t/Dpkg_Control/bogus-armor-no-sig.dsc \
 	t/Dpkg_Control/bogus-armor-trail.dsc \
 	t/Dpkg_Control/bogus-armor-inline.dsc \
diff -pruN 1.17.24ubuntu1/scripts/t/Dpkg_Control/bogus-armor-formfeed.dsc 1.17.24ubuntu2/scripts/t/Dpkg_Control/bogus-armor-formfeed.dsc
--- 1.17.24ubuntu1/scripts/t/Dpkg_Control/bogus-armor-formfeed.dsc	1970-01-01 00:00:00.000000000 +0000
+++ 1.17.24ubuntu2/scripts/t/Dpkg_Control/bogus-armor-formfeed.dsc	2015-04-09 15:41:26.000000000 +0000
@@ -0,0 +1,19 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+Source: fail
+
+-----BEGIN PGP SIGNATURE-----
+Version: vim v7.3.547 (GNU/Linux)
+
+Fake signature here.
+-----END PGP SIGNATURE-----
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+Source: pass
+
+-----BEGIN PGP SIGNATURE
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+Valid signature here.
+-----END PGP SIGNATURE-----
diff -pruN 1.17.24ubuntu1/scripts/t/Dpkg_Control.t 1.17.24ubuntu2/scripts/t/Dpkg_Control.t
--- 1.17.24ubuntu1/scripts/t/Dpkg_Control.t	2015-02-22 20:04:13.000000000 +0000
+++ 1.17.24ubuntu2/scripts/t/Dpkg_Control.t	2015-04-09 15:41:26.000000000 +0000
@@ -16,7 +16,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 23;
+use Test::More tests => 24;
 use IO::String;
 
 BEGIN {
@@ -120,6 +120,9 @@ is($dsc, undef, 'Signed .dsc w/ bogus Op
 $dsc = parse_dsc("$datadir/bogus-armor-inline.dsc");
 is($dsc, undef, 'Signed .dsc w/ bogus OpenPGP inline armor');
 
+$dsc = parse_dsc("$datadir/bogus-armor-formfeed.dsc");
+is($dsc, undef, 'Signed .dsc w/ bogus OpenPGP armor line');
+
 $dsc = parse_dsc("$datadir/bogus-armor-double.dsc");
 ok(defined $dsc, 'Signed .dsc w/ two OpenPGP armor signatures');
 is($dsc->{Source}, 'pass', 'Signed spaced .dsc package name');

Reply to: