Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package lintian. It fixes a bug in the parsing of GPG headers in control files (e.g. .changes). Please note that the BTS / Britney believes this version of lintian to introduce #775760. This behaviour was already present in previous versions of Lintian. I have reassigned it and put a more accurate found version on it. unblock lintian/2.5.30+deb8u4 Thanks, ~Niels
diff -Nru lintian-2.5.30+deb8u3/debian/changelog lintian-2.5.30+deb8u4/debian/changelog --- lintian-2.5.30+deb8u3/debian/changelog 2014-11-28 23:21:10.000000000 +0100 +++ lintian-2.5.30+deb8u4/debian/changelog 2015-04-09 22:09:32.000000000 +0200 @@ -1,3 +1,12 @@ +lintian (2.5.30+deb8u4) unstable; urgency=medium + + * lib/Lintian/Util.pm: + + [NT] Stricten the permitted whitespace at the end of GPG + marker lines. This is the same issue as CVE-2015-0840, + except lintian never attempted to validate the signature. + + -- Niels Thykier <ni...@thykier.net> Thu, 09 Apr 2015 22:09:29 +0200 + lintian (2.5.30+deb8u3) unstable; urgency=medium * helpers/coll/objdump-info-helper: diff -Nru lintian-2.5.30+deb8u3/lib/Lintian/Util.pm lintian-2.5.30+deb8u4/lib/Lintian/Util.pm --- lintian-2.5.30+deb8u3/lib/Lintian/Util.pm 2014-11-28 23:18:08.000000000 +0100 +++ lintian-2.5.30+deb8u4/lib/Lintian/Util.pm 2015-04-09 22:05:41.000000000 +0200 @@ -412,7 +412,7 @@ # According to http://tools.ietf.org/html/rfc4880#section-6.2 # The header MUST start at the beginning of the line and MUST NOT have # any other text (except whitespace) after the header. - elsif (m/^-----BEGIN PGP SIGNATURE-----\s*$/) + elsif (m/^-----BEGIN PGP SIGNATURE-----[ \r\t]*$/) { # skip until end of signature my $saw_end = 0; if (not $signed or $signature) { @@ -426,7 +426,7 @@ } $signature = $.; while (<$CONTROL>) { - if (m/^-----END PGP SIGNATURE-----\s*$/o) { + if (m/^-----END PGP SIGNATURE-----[ \r\t]*$/o) { $saw_end = 1; last; } @@ -450,7 +450,7 @@ # - Valid, but we don't support partial messages, so # bail on those. - unless (m/^-----BEGIN PGP SIGNED MESSAGE-----\s*$/) { + unless (m/^-----BEGIN PGP SIGNED MESSAGE-----[ \r\t]*$/) { # Not a (full) PGP MESSAGE; reject. my $key = qr/(?:BEGIN|END) PGP (?:PUBLIC|PRIVATE) KEY BLOCK/; @@ -458,7 +458,7 @@ my $msg = qr/(?:BEGIN|END) PGP (?:(?:COMPRESSED|ENCRYPTED) )?MESSAGE/; - if (m/^-----($key|$msgpart|$msg)-----\s*$/o) { + if (m/^-----($key|$msgpart|$msg)-----[ \r\t]*$/o) { die "syntax error at line $.: Unexpected $1 header\n"; } else { die "syntax error at line $.: Malformed PGP header\n"; @@ -475,7 +475,7 @@ # allow two paragraphs to merge. Consider: # # Field-P1: some-value - # -----BEGIN PGP SIGANTURE---- + # -----BEGIN PGP SIGNATURE----- # # Field-P2: another value # @@ -505,9 +505,9 @@ # two paragraphs to merge. Consider: # # Field-P1: some-value - # -----BEGIN PGP SIGANTURE---- + # -----BEGIN PGP SIGNATURE----- # [...] - # -----END PGP SIGANTURE---- + # -----END PGP SIGNATURE----- # Field-P2: another value # # At the time of writing: If $open_section is true, it