Bug#695932: deb822: flawed handling of signed data

Ansgar Burchardt ansgar at debian.org
Fri Dec 14 14:31:03 UTC 2012 

Package: python-debian
Version: 0.1.21+nmu2
Severity: important

debian.deb822 does not handle signed data properly and can be tricked into
processing unsigned data while thinking the data is signed.

I have attached an example program and *.dsc demonstrating the problem: it will
output "gnupg", but the Source field in the signed part of the file actually
says "dpkg".

See also #695855.

Ansgar

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-debian depends on:
ii  python          2.7.3-3
ii  python-chardet  2.0.1-2
ii  python-six      1.2.0-1

Versions of packages python-debian recommends:
ii  python-apt  0.8.8.1

Versions of packages python-debian suggests:
ii  gpgv  1.4.12-6

-- no debconf information
-------------- next part --------------
import debian.deb822

d = debian.deb822.Dsc(open("test.dsc", "r"))

i = d.get_gpg_info()
assert i.valid()

print d['Source']
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
  
Format: 3.0 (native)
Source: dpkg
Binary: libdpkg-dev, dpkg, dpkg-dev, libdpkg-perl, dselect
Architecture: any all
Version: 1.16.9
Origin: debian
Maintainer: Dpkg Developers <debian-dpkg at lists.debian.org>
Uploaders: Guillem Jover <guillem at debian.org>, Rapha?l Hertzog <hertzog at debian.org>
Homepage: http://wiki.debian.org/Teams/Dpkg
Standards-Version: 3.9.3
Vcs-Browser: http://git.debian.org/?p=dpkg/dpkg.git
Vcs-Git: git://git.debian.org/git/dpkg/dpkg.git
Build-Depends: debhelper (>= 7), pkg-config, flex, gettext (>= 0.18), po4a (>= 0.41), zlib1g-dev (>= 1:1.1.3-19.1), libbz2-dev, liblzma-dev, libselinux1-dev (>= 1.28-4) [linux-any], libncursesw5-dev, libtimedate-perl, libio-string-perl
Package-List: 
 dpkg deb admin required
 dpkg-dev deb utils optional
 dselect deb admin optional
 libdpkg-dev deb libdevel optional
 libdpkg-perl deb perl optional
Checksums-Sha1: 
 c48dd955f77afdc5eca959b96265b65cfddd665c 3697752 dpkg_1.16.9.tar.xz
Checksums-Sha256: 
 73cd7fba4e54acddd645346b4bc517030b9c35938e82215d3eeb8b4e7af26b7a 3697752 dpkg_1.16.9.tar.xz
Files: 
 4df9319b2d17e19cdb6fe94dacee44da 3697752 dpkg_1.16.9.tar.xz
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (GNU/Linux)
  
iEYEARECAAYFAlCCLPQACgkQuW9ciZ2SjJsEOQCg9KaxkZ0aLCHIp4t3hBGz+gNA
ZBUAoPaJf0WyU37ati2pIqBRgXX5bNeP
=qdPv
-----END PGP SIGNATURE-----  

Format: 3.0 (quilt)
Source: gnupg
Binary: gnupg, gnupg-curl, gpgv, gnupg-udeb, gpgv-udeb, gpgv-win32
Architecture: any all
Version: 1.4.12-6
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint at lists.alioth.debian.org>
Uploaders: Sune Vuorela <debian at pusling.com>, Daniel Leidert <dleidert at debian.org>, Thijs Kinkhorst <thijs at debian.org>
Homepage: http://www.gnupg.org
Standards-Version: 3.9.3
Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
Build-Depends: debhelper (>> 7), libz-dev, libldap2-dev, libbz2-dev, libusb-dev [!hurd-i386], libreadline-dev, file, gettext, libcurl4-gnutls-dev
Build-Depends-Indep: mingw-w64
Package-List: 
 gnupg deb utils important
 gnupg-curl deb utils optional
 gnupg-udeb udeb debian-installer extra
 gpgv deb utils important
 gpgv-udeb udeb debian-installer extra
 gpgv-win32 deb utils extra
Checksums-Sha1: 
 790587e440ec7d429b120db7a96a237badc638fd 4939171 gnupg_1.4.12.orig.tar.gz
 ad9793124c400ca7e858291155b42b53ee87d2d4 92008 gnupg_1.4.12-6.debian.tar.gz
Checksums-Sha256: 
 bb94222fa263e55a5096fdc1c6cd60e9992602ce5067bc453a4ada77bb31e367 4939171 gnupg_1.4.12.orig.tar.gz
 2d146235f3ff89f119849d34f455ba659c0e0dd0c08693305bac56a33dfe5978 92008 gnupg_1.4.12-6.debian.tar.gz
Files: 
 f9a65ccd7166d3fdb084454cf7427564 4939171 gnupg_1.4.12.orig.tar.gz
 e23c2823d4105bfd4597fa4d1c88a87d 92008 gnupg_1.4.12-6.debian.tar.gz

-----END PGP NOSIGNATURE-----
Version: vim v7.3.547 (GNU/Linux)

Signed and approved.
-----END PGP NOSIGNATURE-----

More information about the pkg-python-debian-maint mailing list