Package: debmirror
Version: 1:2.9
Severity: normal

I've just been implementing i18n/Index support in the Ubuntu archive,
and in the process I noticed that debmirror's parser is rather fragile.
In particular, it goes like this:

    while (<INDEX>) {
      last if /^SHA1:/;
    }
    while (<INDEX>) {
      next unless /^ /;

      my ($sha1, $size, $filename) = (/ ([a-z0-9]+) +(\d+) +(.*)$/);
      ...
    }

So, consider an Index file that looks like this:

  SHA1:
   <sha1> <size> <filename>
  SHA256:
   <sha256> <size> <filename>

This parser will parse both "<sha1> <size> <filename>" and "<sha256>
<size> <filename>" as SHA1 section data, and if I'm reading this
correctly the result will be that it will always fail to fetch i18n data
because it will compare its SHA1 checksum against a SHA256 checksum.  As
a result, this bug in debmirror prevents archives from using stronger
checksums.

I suggest that at minimum the 'next unless' line above should be 'last
unless', so that it stops at the end of the SHA1 section.  Of course, it
would also be nice if debmirror could speculatively add support for
stronger checksums.

(I realise that being able to substitute different package descriptions
is fairly weak as attack vectors go!)

Thanks,

-- 
Colin Watson                                       [[email protected]]



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to