The following commit has been merged in the master branch:
commit afe626640a81a0191b06e2f4ae16eb2bd1b228c3
Author: Guillem Jover <[email protected]>
Date: Sun Dec 23 03:03:44 2012 +0100
Dpkg::Control::Hash: Do not accept Armor Header Lines inside a paragraph
Make sure that no fields are injected before a signed block.
Although the only possible attack is to add fields not present in the
signed block, as otherwise a syntax error due to duplicate field is
triggered.
diff --git a/debian/changelog b/debian/changelog
index 686920e..1ef5478 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ dpkg (1.16.10) UNRELEASED; urgency=low
* Fix OpenPGP armored signature parsing, to be resilient against doctored
input, including source package control files. Closes: #695919
* Make sure the OpenGPG armor contains a signature block, even on EOF.
+ * Do not accept Armor Header Lines inside a paragraph.
[ Updated programs translations ]
* Esperanto (Felipe Castro).
diff --git a/scripts/Dpkg/Control/Hash.pm b/scripts/Dpkg/Control/Hash.pm
index 5a1c1ca..b142876 100644
--- a/scripts/Dpkg/Control/Hash.pm
+++ b/scripts/Dpkg/Control/Hash.pm
@@ -169,6 +169,7 @@ sub parse {
my ($self, $fh, $desc) = @_;
my $paraborder = 1;
+ my $parabody = 0;
my $cf; # Current field
my $expect_pgp_sig = 0;
my $pgp_signed = 0;
@@ -179,6 +180,7 @@ sub parse {
next if (m/^#/);
$paraborder = 0;
if (m/^(\S+?)\s*:\s*(.*)$/) {
+ $parabody = 1;
if (exists $self->{$1}) {
unless ($$self->{'allow_duplicate'}) {
syntaxerr($desc, sprintf(_g("duplicate field %s found"),
$1));
@@ -197,7 +199,7 @@ sub parse {
$self->{$cf} .= "\n$line";
} elsif (m/^-----BEGIN PGP SIGNED MESSAGE-----$/) {
$expect_pgp_sig = 1;
- if ($$self->{'allow_pgp'}) {
+ if ($$self->{'allow_pgp'} and not $parabody) {
# Skip PGP headers
while (<$fh>) {
last if m/^\s*$/;
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 977146c..363eaf3 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -233,6 +233,7 @@ test_data = \
t/700_Dpkg_Control/bogus-armor-double.dsc \
t/700_Dpkg_Control/bogus-armor-no-sig.dsc \
t/700_Dpkg_Control/bogus-armor-trail.dsc \
+ t/700_Dpkg_Control/bogus-armor-inline.dsc \
t/700_Dpkg_Control/bogus-armor-nested.dsc \
t/700_Dpkg_Control/bogus-armor-spaces.dsc \
t/750_Dpkg_Substvars/substvars1 \
diff --git a/scripts/t/700_Dpkg_Control.t b/scripts/t/700_Dpkg_Control.t
index 77a4e5d..074e084 100644
--- a/scripts/t/700_Dpkg_Control.t
+++ b/scripts/t/700_Dpkg_Control.t
@@ -13,7 +13,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-use Test::More tests => 21;
+use Test::More tests => 22;
use strict;
use warnings;
@@ -115,6 +115,9 @@ is($dsc, undef, 'Signed .dsc w/ OpenPGP armor missing
signature');
$dsc = parse_dsc("$datadir/bogus-armor-trail.dsc");
is($dsc, undef, 'Signed .dsc w/ bogus OpenPGP armor trailer');
+$dsc = parse_dsc("$datadir/bogus-armor-inline.dsc");
+is($dsc, undef, 'Signed .dsc w/ bogus OpenPGP inline armor');
+
$dsc = parse_dsc("$datadir/bogus-armor-double.dsc");
ok(defined $dsc, 'Signed .dsc w/ two OpenPGP armor signatures');
is($dsc->{Source}, 'pass', 'Signed spaced .dsc package name');
diff --git a/scripts/t/700_Dpkg_Control/bogus-armor-double.dsc
b/scripts/t/700_Dpkg_Control/bogus-armor-inline.dsc
similarity index 52%
copy from scripts/t/700_Dpkg_Control/bogus-armor-double.dsc
copy to scripts/t/700_Dpkg_Control/bogus-armor-inline.dsc
index 1888a00..44942c1 100644
--- a/scripts/t/700_Dpkg_Control/bogus-armor-double.dsc
+++ b/scripts/t/700_Dpkg_Control/bogus-armor-inline.dsc
@@ -1,13 +1,9 @@
+Source: fail
-----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-Source: pass
-
+
+Binary: pass
+
-----BEGIN PGP SIGNATURE-----
Valid signature here.
-----END PGP SIGNATURE-----
------BEGIN PGP SIGNATURE-----
-
-Fake signature here.
------END PGP SIGNATURE-----
--
dpkg's main repository
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
