[Pkg-privacy-commits] [torbrowser-launcher] 01/03: Prevent signature verification attack by passing both data file as well as sig file into gpg (fixes #229)
Holger Levsen
holger at moszumanska.debian.org
Wed Mar 16 00:37:32 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to branch master
in repository torbrowser-launcher.
commit e5d3cbb0a3295bff6300797afe840226f4f56397
Author: Micah Lee <micah at micahflee.com>
Date: Sun Mar 13 14:51:08 2016 -0700
Prevent signature verification attack by passing both data file as well as sig file into gpg (fixes #229)
---
torbrowser_launcher/launcher.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
index d250a6e..442c6f4 100644
--- a/torbrowser_launcher/launcher.py
+++ b/torbrowser_launcher/launcher.py
@@ -447,7 +447,7 @@ class Launcher:
# verify the PGP signature
verified = False
FNULL = open(os.devnull, 'w')
- p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
+ p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file'], self.common.paths['tarball_file']], stdout=FNULL, stderr=subprocess.STDOUT)
self.pulse_until_process_exits(p)
if p.returncode == 0:
verified = True
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git
More information about the Pkg-privacy-commits
mailing list