Your message dated Tue, 14 Apr 2015 15:36:39 +0000
with message-id <[email protected]>
and subject line Bug#782276: fixed in python-debian 0.1.27
has caused the Debian Bug report #782276,
regarding python-debian: Insecure parsing of OpenPGP Armor Header lines
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
782276: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782276
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-debian
Source-Version: 0.1.26
Severity: important
Tags: security
[ Because I've not tried to check the extent of the vulnerability,
I've set the severity to important, if it is really bad then it
probably deserves to be serious. ]
Hi!
While dealing with the dpkg security issue (fixed in 1.16.16, and the
upcoming 1.17.25), I checked other implementations and found that it
also affects the python-debian modules.
The parser is too lax and accepts any whitespace while GnuPG only
accepts [\r\t ] at the end of an Armor Header line, which means that a
message could be doctored to include lines that will be ignored by GnuPG
but parsed by the python-debian modules.
The attached untested patch should in principle fix this issue.
Thanks,
Guillem
From 94a5864b6666ca5c2d0760702f386047189a248e Mon Sep 17 00:00:00 2001
From: Guillem Jover <[email protected]>
Date: Thu, 9 Apr 2015 23:16:48 +0200
Subject: [PATCH] deb822: Fix OpenPGP Armor Header Line parsing
We should only accept [\r\t ] as trailing whitespace, although RFC4880
does not clarify what whitespace really maps to, we should really match
the GnuPG implementation anyway, as that is what we use to verify the
signatures.
---
lib/debian/deb822.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/debian/deb822.py b/lib/debian/deb822.py
index 0c0748e..c1dcb17 100644
--- a/lib/debian/deb822.py
+++ b/lib/debian/deb822.py
@@ -638,7 +638,7 @@ class Deb822(Deb822Dict):
lines = []
gpg_post_lines = []
state = b'SAFE'
- gpgre = re.compile(br'^-----(?P<action>BEGIN|END) PGP (?P<what>[^-]+)-----\s*$')
+ gpgre = re.compile(br'^-----(?P<action>BEGIN|END) PGP (?P<what>[^-]+)-----[\r\t ]*$')
# Include whitespace-only lines in blank lines to split paragraphs.
# (see #715558)
blank_line = re.compile(b'^\s*$')
--
2.2.1.209.g41e5f3a
--- End Message ---
--- Begin Message ---
Source: python-debian
Source-Version: 0.1.27
We believe that the bug you reported is fixed in the latest version of
python-debian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stuart Prescott <[email protected]> (supplier of updated python-debian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 15 Apr 2015 00:53:27 +1000
Source: python-debian
Binary: python-debian python3-debian
Architecture: source all
Version: 0.1.27
Distribution: unstable
Urgency: medium
Maintainer: Debian python-debian Maintainers
<[email protected]>
Changed-By: Stuart Prescott <[email protected]>
Description:
python-debian - Python modules to work with Debian-related data formats
python3-debian - Python 3 modules to work with Debian-related data formats
Closes: 782276
Changes:
python-debian (0.1.27) unstable; urgency=medium
.
* Tighten whitespace handling in GPG Armor Header lines, with thanks to
Guillem Jover for the patch (Closes: #782276).
Checksums-Sha1:
0d62d0d71852e0de77f29b740f83fe6cbef60d15 2227 python-debian_0.1.27.dsc
ba63fb6094e67c2108fea7606c654ba1cd4b3669 289692 python-debian_0.1.27.tar.xz
226ee0145bf2b3ff0063d83edb632b28f4ce439e 71538 python-debian_0.1.27_all.deb
3528c6aa3e94a15141702f5c734572dedb69f593 50902 python3-debian_0.1.27_all.deb
Checksums-Sha256:
fd49b2a2e9cc5ddc66a49a6e41d1297579abfdfba4e79eb7bc7e277555b9870b 2227
python-debian_0.1.27.dsc
3a21d07553d46c0cf7961b13483e62005d8793a3780e79d1191b357f50174eab 289692
python-debian_0.1.27.tar.xz
d0db40c82aacde5572ff1e5195d142f25f9610a9906e3e6e93b23989c37eadeb 71538
python-debian_0.1.27_all.deb
b33ee3331960c7c3321e97656a0c0262c0957d74041db7705b91265f74a7bd73 50902
python3-debian_0.1.27_all.deb
Files:
ada9f55ce3965bd34f0b052f05cc527e 2227 python optional python-debian_0.1.27.dsc
5028680b5db5b5c7f2ef016dbf766b4d 289692 python optional
python-debian_0.1.27.tar.xz
f05637e34a0badc08e76c84ea9fd2bff 71538 python optional
python-debian_0.1.27_all.deb
f7da00aa937682ac6f1d23d039abf80a 50902 python optional
python3-debian_0.1.27_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVLSp4AAoJELvBfrsTlvL3DuAP/AgjsMIpNnrDBGX6LwreEh1D
JT67jr2HPQ7zbXTGTaaWi+NKqnVMFIeluAHqGrFrUBO0nP2ewc6PHGYnJk6YFzQA
0JwnT5XjGrabwpVrb6QdEZLkiY49r276j34cw82LEUmNS1zf6DLfNTS+PXBXCDLA
BNGj8f8Ru3gXpEtwInbyims7wucAf/8XKWpjjYie156k70wX0B/EDwUqITwaOhHV
Jn4j6h8+WvzV2HmRC/n8gYdQmWeLZ4/AnjY5lRu8eyJ+Cr378C5B5fxMp6lsyIsx
BiTc31sncx1C2bMTsYTlkkxSmMSK7NNdNwFceUG3MhIkX32rpOtzCpK6xTScmA50
o2oAi/H3Ov9iHdbbmjVcJ5FQSxb7/LvDZqDFs78vE1mfeZRsm1t1J1H00vhF6gyo
kcQv7L03n0DxySBsYEVcS/ZleD3yAvt3GEH7gWh++q1DnntTyThPUvTW3Zyyf3RQ
8IJRZ1goJvwopcfDwa4A/n1kXePt74WMId6t5xmUBFcZ+TnGa06qpbIyvu3R3saM
+SF9AaiqaZawzV4kZTJwydUwX8qvAWExzWG0C9lMqwQwdO/8s5ZHCOq5BqmCroly
NP9Kr3Z0SrYPwSeMsjvg1so5Ih5Lu4ZUx4aFPfB+H9bAfrUj7WD1VuWU+Cmh8vSN
1aIjgaU7cVZfM7HqW6aL
=1Abl
-----END PGP SIGNATURE-----
--- End Message ---
--
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-python-debian-maint
