Bug#749795: apt: no authentication checks for source packages

["Thijs Kinkhorst" <thijs@debian.org>]

Hi Michael,

On Thu, June 12, 2014 13:52, Michael Vogt wrote:
> On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
>> > apt: no authentication checks for source packages
>>
>> The Debian security team has assigned CVE-2014-0478 to this issue.
>>
>> APT developers: we should fix this in wheezy. Are you able to provide an
>> update for wheezy for this issue?
> [..]
>
> Attached is the fix for wheezy with a regression test, a additional
> test run is very welcome (works in my wheezy container both the
> testcase and a manual test when removing /var/lib/apt/lists/*Release*).

Thanks! I've built it and verified that it works for me aswell (and solves
the issue). For the changelog: you need to target "wheezy-security", and
may want to add "closes: #749795" and urgency=high. With these changes you
can upload to security-master.debian.org. Make sure to build with full
source ("-sa") as wheezy-security doesn't yet have the orig tarball.

The patch seems to apply rather cleanly to squeeze, so an update for that
would be nice if possible. Fixing CVE-2011-3634 aswell would be nice if
simple to do but not essential.


Cheers,
Thijs