Your message dated Thu, 11 Sep 2014 06:49:21 +0000
with message-id <[email protected]>
and subject line Bug#695932: fixed in python-debian 0.1.23
has caused the Debian Bug report #695932,
regarding deb822: flawed handling of signed data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
695932: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695932
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-debian
Version: 0.1.21+nmu2
Severity: important
debian.deb822 does not handle signed data properly and can be tricked into
processing unsigned data while thinking the data is signed.
I have attached an example program and *.dsc demonstrating the problem: it will
output "gnupg", but the Source field in the signed part of the file actually
says "dpkg".
See also #695855.
Ansgar
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-debian depends on:
ii python 2.7.3-3
ii python-chardet 2.0.1-2
ii python-six 1.2.0-1
Versions of packages python-debian recommends:
ii python-apt 0.8.8.1
Versions of packages python-debian suggests:
ii gpgv 1.4.12-6
-- no debconf information
import debian.deb822
d = debian.deb822.Dsc(open("test.dsc", "r"))
i = d.get_gpg_info()
assert i.valid()
print d['Source']
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 3.0 (native)
Source: dpkg
Binary: libdpkg-dev, dpkg, dpkg-dev, libdpkg-perl, dselect
Architecture: any all
Version: 1.16.9
Origin: debian
Maintainer: Dpkg Developers <[email protected]>
Uploaders: Guillem Jover <[email protected]>, Raphaƫl Hertzog
<[email protected]>
Homepage: http://wiki.debian.org/Teams/Dpkg
Standards-Version: 3.9.3
Vcs-Browser: http://git.debian.org/?p=dpkg/dpkg.git
Vcs-Git: git://git.debian.org/git/dpkg/dpkg.git
Build-Depends: debhelper (>= 7), pkg-config, flex, gettext (>= 0.18), po4a (>=
0.41), zlib1g-dev (>= 1:1.1.3-19.1), libbz2-dev, liblzma-dev, libselinux1-dev
(>= 1.28-4) [linux-any], libncursesw5-dev, libtimedate-perl, libio-string-perl
Package-List:
dpkg deb admin required
dpkg-dev deb utils optional
dselect deb admin optional
libdpkg-dev deb libdevel optional
libdpkg-perl deb perl optional
Checksums-Sha1:
c48dd955f77afdc5eca959b96265b65cfddd665c 3697752 dpkg_1.16.9.tar.xz
Checksums-Sha256:
73cd7fba4e54acddd645346b4bc517030b9c35938e82215d3eeb8b4e7af26b7a 3697752
dpkg_1.16.9.tar.xz
Files:
4df9319b2d17e19cdb6fe94dacee44da 3697752 dpkg_1.16.9.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlCCLPQACgkQuW9ciZ2SjJsEOQCg9KaxkZ0aLCHIp4t3hBGz+gNA
ZBUAoPaJf0WyU37ati2pIqBRgXX5bNeP
=qdPv
-----END PGP SIGNATURE-----
Format: 3.0 (quilt)
Source: gnupg
Binary: gnupg, gnupg-curl, gpgv, gnupg-udeb, gpgv-udeb, gpgv-win32
Architecture: any all
Version: 1.4.12-6
Maintainer: Debian GnuPG-Maintainers <[email protected]>
Uploaders: Sune Vuorela <[email protected]>, Daniel Leidert
<[email protected]>, Thijs Kinkhorst <[email protected]>
Homepage: http://www.gnupg.org
Standards-Version: 3.9.3
Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
Build-Depends: debhelper (>> 7), libz-dev, libldap2-dev, libbz2-dev, libusb-dev
[!hurd-i386], libreadline-dev, file, gettext, libcurl4-gnutls-dev
Build-Depends-Indep: mingw-w64
Package-List:
gnupg deb utils important
gnupg-curl deb utils optional
gnupg-udeb udeb debian-installer extra
gpgv deb utils important
gpgv-udeb udeb debian-installer extra
gpgv-win32 deb utils extra
Checksums-Sha1:
790587e440ec7d429b120db7a96a237badc638fd 4939171 gnupg_1.4.12.orig.tar.gz
ad9793124c400ca7e858291155b42b53ee87d2d4 92008 gnupg_1.4.12-6.debian.tar.gz
Checksums-Sha256:
bb94222fa263e55a5096fdc1c6cd60e9992602ce5067bc453a4ada77bb31e367 4939171
gnupg_1.4.12.orig.tar.gz
2d146235f3ff89f119849d34f455ba659c0e0dd0c08693305bac56a33dfe5978 92008
gnupg_1.4.12-6.debian.tar.gz
Files:
f9a65ccd7166d3fdb084454cf7427564 4939171 gnupg_1.4.12.orig.tar.gz
e23c2823d4105bfd4597fa4d1c88a87d 92008 gnupg_1.4.12-6.debian.tar.gz
-----END PGP NOSIGNATURE-----
Version: vim v7.3.547 (GNU/Linux)
Signed and approved.
-----END PGP NOSIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: python-debian
Source-Version: 0.1.23
We believe that the bug you reported is fixed in the latest version of
python-debian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
John Wright <[email protected]> (supplier of updated python-debian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Sep 2014 23:18:38 -0700
Source: python-debian
Binary: python-debian python3-debian
Architecture: source all
Version: 0.1.23
Distribution: unstable
Urgency: medium
Maintainer: Debian python-debian Maintainers
<[email protected]>
Changed-By: John Wright <[email protected]>
Description:
python-debian - Python modules to work with Debian-related data formats
python3-debian - Python 3 modules to work with Debian-related data formats
Closes: 634848 655988 670679 671485 695932 712513 718355 732599 743174 760488
Changes:
python-debian (0.1.23) unstable; urgency=medium
.
[ Stuart Prescott ]
* Add sha512 sums to Release and Sources (Closes: #732599).
* Use warnings rather than stderr in PkgRelation (Closes: #712513).
* Expose the list of bugs closed by a changelog entry; thanks to Jelmer
Vernooi and Stefano Rivera for patches (Closes: #634848).
* Add support for .deb with uncompressed data.tar member (Closes: #718355).
* Prefer the internal parser rather than apt's TagFile for processing deb822
files unless explicitly called to process Packages or Sources files:
- prevents paragraph parsing truncating on comments (Closes: #743174).
- fix parsing of paragraphs when separated by more whitespace than just a
newline (Closes: #655988). (Finally fixing interactions with devscripts'
wrap-and-sort!)
* Parse foreign architecture (package:any) relationships and also other
multi-arch related relationships (Closes: #670679)
* Parse build-profiles syntax.
.
[ John Wright ]
* Fix a GPG validation bug. With some trailing whitespace, the code
could be tricked into validating a signature, but using the bogus
data after the signed section (Closes: #695932).
* Drop support for python2.5. (This allows us to do fewer import hacks
in deb822, and probably other modules as well.)
* Add a deb822.RestrictedWrapper class, for exposing read-only access
to a Deb822 instance's field values as strings, while restricting
write access to some fields, which are exposed via properties.
* deb822.Deb822Dict.dump: Add a text_mode parameter for dumping to
file(-like) objects that assume text/unicode input.
* Add a copyright module, for parsing machine-readable debian/copyright
files (Closes: #671485).
* Make deb822 tests hermetic with respect to debian-keyring updates
(Closes: #760488).
Checksums-Sha1:
12dfdc516cca4cb97db35d2058b557ce86ab4226 1861 python-debian_0.1.23.dsc
ad2363927297a16bd152f08ff268b2af147731d5 288092 python-debian_0.1.23.tar.xz
a9808610d3fe406bb66e6bbdd5c69201b669ae13 70630 python-debian_0.1.23_all.deb
61b44f5a2700e399d78a2c8ee795fe25d40cd08d 50384 python3-debian_0.1.23_all.deb
Checksums-Sha256:
e24ef01c4d285c442577b53644211510c10767a58a6e1c8df2aa7c1b1332b00b 1861
python-debian_0.1.23.dsc
cb057ba2003fd7738f295b15a1e24f1983ce8bc3725613b4ce80013a55fb0b56 288092
python-debian_0.1.23.tar.xz
d55ecce6400a5f8504aa8d8ce76846aab5cebea6003a1e1a240ba1f93e6f88f6 70630
python-debian_0.1.23_all.deb
ebed90218dde5f9a5a5d598db3533208a0bf9683b717c2c597ab95377ca0d69b 50384
python3-debian_0.1.23_all.deb
Files:
7d81d9acc4168890e10a6f4902c53ecc 70630 python optional
python-debian_0.1.23_all.deb
2ae2e6469ffb87c8d0ea6582c22bd48b 50384 python optional
python3-debian_0.1.23_all.deb
b3e9d9f696604ab144d5aed316c808dc 1861 python optional python-debian_0.1.23.dsc
f5458e5d1379feaf5a837e7f866b1b7a 288092 python optional
python-debian_0.1.23.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJUEUIQAAoJEOdiPQlLQO87z2cH/3LroAIC4gDT+ux4K11jwaRX
swQId21MKCOxDncnNUx+cwPqUi0YuHhOhp8XEsy7/7g1gDSddJJ+2WkpN0PKgLSx
2lyLtF6BJ+JykAOV3sPz993q5b0+7QJ3/3Fwq2ICzS0bFsLB9XpsRK75uogr6knp
gfOnEn03cyK5JurRdmmK1w0wVtS7ZyktaGYlknZi7xxwIb+IbVgDebpPxHj3TDzC
U9QHA5ZVziuNPeVWqgimk8BWJH0ngL+MRc5frAed4M6Zyd+mug1IetJzxaD+mBzm
W54HlaARddfiVYnXR8FaQVXEYOj76xirQf1jAaLxizwmz4C6zt6YqD2CikmTW7w=
=jb3+
-----END PGP SIGNATURE-----
--- End Message ---
--
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-python-debian-maint
