[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[lintian] 01/01: L::Util: Only allow [ \r\t] in GPG lines



This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository lintian.

commit e30e9ac41321482456ffc2cfa38d3039e1ffb73e
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 9 22:03:01 2015 +0200

    L::Util: Only allow [ \r\t] in GPG lines
    
    This is fundamentally the same issue that dpkg has (CVE-2015-0840).
    The major exception being Lintian never made attempts to validate the
    signature and therefore it is less problematic that it can be
    "tricked".
    
    Signed-off-by: Niels Thykier <niels@thykier.net>
---
 debian/changelog    |  3 +++
 lib/Lintian/Util.pm | 14 +++++++-------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 671825c..747e1a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -149,6 +149,9 @@ lintian (2.5.31) UNRELEASED; urgency=medium
   * lib/Lintian/Util.pm:
     + [NT] Prefer dpkg-deb --ctrl-tarfile to "ar p" when dpkg
       is recent enough.
+    + [NT] Stricten the permitted whitespace at the end of GPG
+      marker lines.  This is the same issue as CVE-2015-0840,
+      except lintian never attempted to validate the signature.
 
   * profiles/ubuntu/main.profile:
     + [BR] Exclude no-human-maintainers (Closes: #769036).
diff --git a/lib/Lintian/Util.pm b/lib/Lintian/Util.pm
index eff4a6d..817b8d0 100644
--- a/lib/Lintian/Util.pm
+++ b/lib/Lintian/Util.pm
@@ -416,7 +416,7 @@ sub visit_dpkg_paragraph {
         # According to http://tools.ietf.org/html/rfc4880#section-6.2
         # The header MUST start at the beginning of the line and MUST NOT have
         # any other text (except whitespace) after the header.
-        elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/)
+        elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/)
         { # skip until end of signature
             my $saw_end = 0;
             if (not $signed or $signature) {
@@ -430,7 +430,7 @@ sub visit_dpkg_paragraph {
             }
             $signature = $.;
             while (<$CONTROL>) {
-                if (m/^-----END PGP SIGNATURE-----\s*$/o) {
+                if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) {
                     $saw_end = 1;
                     last;
                 }
@@ -454,7 +454,7 @@ sub visit_dpkg_paragraph {
             #    - Valid, but we don't support partial messages, so
             #      bail on those.
 
-            unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) {
+            unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) {
                 # Not a (full) PGP MESSAGE; reject.
 
                 my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/;
@@ -462,7 +462,7 @@ sub visit_dpkg_paragraph {
                 my $msg
                   = qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/;
 
-                if (m/^-----($key|$msgpart|$msg)-----\s*$/o) {
+                if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) {
                     die "syntax error at line $.: Unexpected $1 header\n";
                 } else {
                     die "syntax error at line $.: Malformed PGP header\n";
@@ -479,7 +479,7 @@ sub visit_dpkg_paragraph {
                     # allow two paragraphs to merge.  Consider:
                     #
                     # Field-P1: some-value
-                    # -----BEGIN PGP SIGANTURE----
+                    # -----BEGIN PGP SIGNATURE-----
                     #
                     # Field-P2: another value
                     #
@@ -509,9 +509,9 @@ sub visit_dpkg_paragraph {
             # two paragraphs to merge.  Consider:
             #
             # Field-P1: some-value
-            # -----BEGIN PGP SIGANTURE----
+            # -----BEGIN PGP SIGNATURE-----
             # [...]
-            # -----END PGP SIGANTURE----
+            # -----END PGP SIGNATURE-----
             # Field-P2: another value
             #
             # At the time of writing: If $open_section is true, it

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git


Reply to: