[lintian] 01/02: L::Util: Only allow [ \r\t] in GPG lines
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch jessie
in repository lintian.
commit d816cc02dfedb9a7d37c5736ad67e8b024d6139a
Author: Niels Thykier <niels@thykier.net>
Date: Thu Apr 9 22:03:01 2015 +0200
L::Util: Only allow [ \r\t] in GPG lines
This is fundamentally the same issue that dpkg has (CVE-2015-0840).
The major exception being Lintian never made attempts to validate the
signature and therefore it is less problematic that it can be
"tricked".
Signed-off-by: Niels Thykier <niels@thykier.net>
Conflicts:
debian/changelog
---
debian/changelog | 9 +++++++++
lib/Lintian/Util.pm | 14 +++++++-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 72f59e6..9adcee3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+lintian (2.5.30+deb8u4) UNRELEASED; urgency=medium
+
+ * lib/Lintian/Util.pm:
+ + [NT] Stricten the permitted whitespace at the end of GPG
+ marker lines. This is the same issue as CVE-2015-0840,
+ except lintian never attempted to validate the signature.
+
+ -- Niels Thykier <niels@thykier.net> Thu, 09 Apr 2015 22:06:48 +0200
+
lintian (2.5.30+deb8u3) unstable; urgency=medium
* helpers/coll/objdump-info-helper:
diff --git a/lib/Lintian/Util.pm b/lib/Lintian/Util.pm
index 2b5936d..c09de75 100644
--- a/lib/Lintian/Util.pm
+++ b/lib/Lintian/Util.pm
@@ -412,7 +412,7 @@ sub visit_dpkg_paragraph {
# According to http://tools.ietf.org/html/rfc4880#section-6.2
# The header MUST start at the beginning of the line and MUST NOT have
# any other text (except whitespace) after the header.
- elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/)
+ elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/)
{ # skip until end of signature
my $saw_end = 0;
if (not $signed or $signature) {
@@ -426,7 +426,7 @@ sub visit_dpkg_paragraph {
}
$signature = $.;
while (<$CONTROL>) {
- if (m/^-----END PGP SIGNATURE-----\s*$/o) {
+ if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) {
$saw_end = 1;
last;
}
@@ -450,7 +450,7 @@ sub visit_dpkg_paragraph {
# - Valid, but we don't support partial messages, so
# bail on those.
- unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) {
+ unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) {
# Not a (full) PGP MESSAGE; reject.
my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/;
@@ -458,7 +458,7 @@ sub visit_dpkg_paragraph {
my $msg
= qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/;
- if (m/^-----($key|$msgpart|$msg)-----\s*$/o) {
+ if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) {
die "syntax error at line $.: Unexpected $1 header\n";
} else {
die "syntax error at line $.: Malformed PGP header\n";
@@ -475,7 +475,7 @@ sub visit_dpkg_paragraph {
# allow two paragraphs to merge. Consider:
#
# Field-P1: some-value
- # -----BEGIN PGP SIGANTURE----
+ # -----BEGIN PGP SIGNATURE-----
#
# Field-P2: another value
#
@@ -505,9 +505,9 @@ sub visit_dpkg_paragraph {
# two paragraphs to merge. Consider:
#
# Field-P1: some-value
- # -----BEGIN PGP SIGANTURE----
+ # -----BEGIN PGP SIGNATURE-----
# [...]
- # -----END PGP SIGANTURE----
+ # -----END PGP SIGNATURE-----
# Field-P2: another value
#
# At the time of writing: If $open_section is true, it
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: