[lintian] 01/01: L::Util: Only allow [ \r\t] in GPG lines
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit e30e9ac41321482456ffc2cfa38d3039e1ffb73e
Author: Niels Thykier <niels@thykier.net>
Date: Thu Apr 9 22:03:01 2015 +0200
L::Util: Only allow [ \r\t] in GPG lines
This is fundamentally the same issue that dpkg has (CVE-2015-0840).
The major exception being Lintian never made attempts to validate the
signature and therefore it is less problematic that it can be
"tricked".
Signed-off-by: Niels Thykier <niels@thykier.net>
---
debian/changelog | 3 +++
lib/Lintian/Util.pm | 14 +++++++-------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 671825c..747e1a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -149,6 +149,9 @@ lintian (2.5.31) UNRELEASED; urgency=medium
* lib/Lintian/Util.pm:
+ [NT] Prefer dpkg-deb --ctrl-tarfile to "ar p" when dpkg
is recent enough.
+ + [NT] Stricten the permitted whitespace at the end of GPG
+ marker lines. This is the same issue as CVE-2015-0840,
+ except lintian never attempted to validate the signature.
* profiles/ubuntu/main.profile:
+ [BR] Exclude no-human-maintainers (Closes: #769036).
diff --git a/lib/Lintian/Util.pm b/lib/Lintian/Util.pm
index eff4a6d..817b8d0 100644
--- a/lib/Lintian/Util.pm
+++ b/lib/Lintian/Util.pm
@@ -416,7 +416,7 @@ sub visit_dpkg_paragraph {
# According to http://tools.ietf.org/html/rfc4880#section-6.2
# The header MUST start at the beginning of the line and MUST NOT have
# any other text (except whitespace) after the header.
- elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/)
+ elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/)
{ # skip until end of signature
my $saw_end = 0;
if (not $signed or $signature) {
@@ -430,7 +430,7 @@ sub visit_dpkg_paragraph {
}
$signature = $.;
while (<$CONTROL>) {
- if (m/^-----END PGP SIGNATURE-----\s*$/o) {
+ if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) {
$saw_end = 1;
last;
}
@@ -454,7 +454,7 @@ sub visit_dpkg_paragraph {
# - Valid, but we don't support partial messages, so
# bail on those.
- unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) {
+ unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) {
# Not a (full) PGP MESSAGE; reject.
my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/;
@@ -462,7 +462,7 @@ sub visit_dpkg_paragraph {
my $msg
= qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/;
- if (m/^-----($key|$msgpart|$msg)-----\s*$/o) {
+ if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) {
die "syntax error at line $.: Unexpected $1 header\n";
} else {
die "syntax error at line $.: Malformed PGP header\n";
@@ -479,7 +479,7 @@ sub visit_dpkg_paragraph {
# allow two paragraphs to merge. Consider:
#
# Field-P1: some-value
- # -----BEGIN PGP SIGANTURE----
+ # -----BEGIN PGP SIGNATURE-----
#
# Field-P2: another value
#
@@ -509,9 +509,9 @@ sub visit_dpkg_paragraph {
# two paragraphs to merge. Consider:
#
# Field-P1: some-value
- # -----BEGIN PGP SIGANTURE----
+ # -----BEGIN PGP SIGNATURE-----
# [...]
- # -----END PGP SIGANTURE----
+ # -----END PGP SIGNATURE-----
# Field-P2: another value
#
# At the time of writing: If $open_section is true, it
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: