Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package lintian. It fixes a bug in the parsing of GPG
headers in control files (e.g. .changes).
Please note that the BTS / Britney believes this version of lintian to
introduce #775760. This behaviour was already present in previous
versions of Lintian. I have reassigned it and put a more accurate
found version on it.
unblock lintian/2.5.30+deb8u4
Thanks,
~Niels
diff -Nru lintian-2.5.30+deb8u3/debian/changelog lintian-2.5.30+deb8u4/debian/changelog
--- lintian-2.5.30+deb8u3/debian/changelog 2014-11-28 23:21:10.000000000 +0100
+++ lintian-2.5.30+deb8u4/debian/changelog 2015-04-09 22:09:32.000000000 +0200
@@ -1,3 +1,12 @@
+lintian (2.5.30+deb8u4) unstable; urgency=medium
+
+ * lib/Lintian/Util.pm:
+ + [NT] Stricten the permitted whitespace at the end of GPG
+ marker lines. This is the same issue as CVE-2015-0840,
+ except lintian never attempted to validate the signature.
+
+ -- Niels Thykier <ni...@thykier.net> Thu, 09 Apr 2015 22:09:29 +0200
+
lintian (2.5.30+deb8u3) unstable; urgency=medium
* helpers/coll/objdump-info-helper:
diff -Nru lintian-2.5.30+deb8u3/lib/Lintian/Util.pm lintian-2.5.30+deb8u4/lib/Lintian/Util.pm
--- lintian-2.5.30+deb8u3/lib/Lintian/Util.pm 2014-11-28 23:18:08.000000000 +0100
+++ lintian-2.5.30+deb8u4/lib/Lintian/Util.pm 2015-04-09 22:05:41.000000000 +0200
@@ -412,7 +412,7 @@
# According to http://tools.ietf.org/html/rfc4880#section-6.2
# The header MUST start at the beginning of the line and MUST NOT have
# any other text (except whitespace) after the header.
- elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/)
+ elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/)
{ # skip until end of signature
my $saw_end = 0;
if (not $signed or $signature) {
@@ -426,7 +426,7 @@
}
$signature = $.;
while (<$CONTROL>) {
- if (m/^-----END PGP SIGNATURE-----\s*$/o) {
+ if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) {
$saw_end = 1;
last;
}
@@ -450,7 +450,7 @@
# - Valid, but we don't support partial messages, so
# bail on those.
- unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) {
+ unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) {
# Not a (full) PGP MESSAGE; reject.
my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/;
@@ -458,7 +458,7 @@
my $msg
= qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/;
- if (m/^-----($key|$msgpart|$msg)-----\s*$/o) {
+ if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) {
die "syntax error at line $.: Unexpected $1 header\n";
} else {
die "syntax error at line $.: Malformed PGP header\n";
@@ -475,7 +475,7 @@
# allow two paragraphs to merge. Consider:
#
# Field-P1: some-value
- # -----BEGIN PGP SIGANTURE----
+ # -----BEGIN PGP SIGNATURE-----
#
# Field-P2: another value
#
@@ -505,9 +505,9 @@
# two paragraphs to merge. Consider:
#
# Field-P1: some-value
- # -----BEGIN PGP SIGANTURE----
+ # -----BEGIN PGP SIGNATURE-----
# [...]
- # -----END PGP SIGANTURE----
+ # -----END PGP SIGNATURE-----
# Field-P2: another value
#
# At the time of writing: If $open_section is true, it
