[Pkg-privacy-commits] [torbrowser-launcher] 01/05: Prevent signature verification attack by passing both data file as well as sig file into gpg (fixes #229)

[Holger Levsen]

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch debian/sid
in repository torbrowser-launcher.

commit df3b7b8e6a891915d578a56a005018417d3d5e8a
Author: Micah Lee <micah at micahflee.com>
Date:   Sun Mar 13 14:51:08 2016 -0700

    Prevent signature verification attack by passing both data file as well as sig file into gpg (fixes #229)
---
 torbrowser_launcher/launcher.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
index d250a6e..442c6f4 100644
--- a/torbrowser_launcher/launcher.py
+++ b/torbrowser_launcher/launcher.py
@@ -447,7 +447,7 @@ class Launcher:
         # verify the PGP signature
         verified = False
         FNULL = open(os.devnull, 'w')
-        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
+        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file'], self.common.paths['tarball_file']], stdout=FNULL, stderr=subprocess.STDOUT)
         self.pulse_until_process_exits(p)
         if p.returncode == 0:
             verified = True

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git