~ubuntu-support-team/dpkg/+git/dpkg:squeeze

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

eebef52... by Guillem Jover <email address hidden> on 2015-05-01

Release 1.15.12

a705d80... by Raphaël Hertzog on 2015-02-11

debian: drop myself from Uploaders

Cherry picked from commit 10ff6c4fc598dbc9697c825a8c8e1bf25caa2fcb.

Signed-off-by: Guillem Jover <email address hidden>

f0d0380... by Guillem Jover <email address hidden> on 2015-03-19

Dpkg::Control::Hash: Fix OpenPGP Armor Header Line parsing

Cherry picked from commit c49d104601b673c11c981dc9b6d8247e6da64edd.

We should only accept [\r\t ] as trailing whitespace, although RFC4880
does not clarify what whitespace really maps to, we should really match
the GnuPG implementation anyway, as that is what we use to verify the
signatures.

Fixes: CVE-2015-0840
Reported-by: Jann Horn <email address hidden>
Signed-off-by: Ben Hutchings <email address hidden>
Signed-off-by: Guillem Jover <email address hidden>

0602847... by Guillem Jover <email address hidden> on 2012-12-23

Dpkg::Control::Hash: Do not accept Armor Header Lines inside a paragraph

Cherry picked from commit afe626640a81a0191b06e2f4ae16eb2bd1b228c3.

Make sure that no fields are injected before a signed block.

Although the only possible attack is to add fields not present in the
signed block, as otherwise a syntax error due to duplicate field is
triggered.

Signed-off-by: Ben Hutchings <email address hidden>
Signed-off-by: Guillem Jover <email address hidden>

7c9e955... by Guillem Jover <email address hidden> on 2012-12-15

Dpkg::Control::Hash: Check for presence of OpenPGP signatures

Cherry picked from commit b08f7a8306f872b077af4040ebeab8853faaf0cd.

Make sure the OpenGPG armor contains a signature block, even on EOF.

This should get detected and rejected by gpgv anyway, but it's better
to check the structure of the message before doing any further parsing
on it.

Signed-off-by: Ben Hutchings <email address hidden>
Signed-off-by: Guillem Jover <email address hidden>

9e1f15a... by Guillem Jover <email address hidden> on 2012-12-15

Dpkg: Fix OpenPGP armored signature parsing

Cherry picked from commit 9945c52208fa7520bb307868d6c152ced8238969.

Change parsing code to honour RFC4880. Handle whitespaces at EOL, and
correctly expect five trailing dashes on the Armor Header Lines.

Closes: #695919

Reported-by: Ansgar Burchardt <email address hidden>
[<email address hidden>:
 - Resolve conflict in whitespace in scripts/t/700_Dpkg_Control.t. ]
Signed-off-by: Ben Hutchings <email address hidden>
Signed-off-by: Guillem Jover <email address hidden>

c171377... by Roger Leigh on 2011-03-12

Dpkg::Control::Hash: accept PGP signature as end of block

Cherry picked from commit 898936120e987d9faf27002e2d01844edbfbb538.

Improved-by: Raphaël Hertzog <email address hidden>
Signed-off-by: Ben Hutchings <email address hidden>
Signed-off-by: Guillem Jover <email address hidden>

1d6c7d5... by Guillem Jover <email address hidden> on 2015-05-01

Bump version to 1.15.12

0e17427... by Guillem Jover <email address hidden> on 2014-06-05

Release 1.15.11

ceb5b2b... by Guillem Jover <email address hidden> on 2014-05-21

scripts: Add test case for patch disabling hunks

Cherry picked from commit bb2fe22738675a5a92d65aad03efcc73efd3a368.

This does not pose any security issue, as the hunk parser is strict, and
will reject a patch if it considers that the hunk marker is not present.