Bug#695932: deb822: flawed handling of signed data
Ansgar Burchardt
ansgar at debian.org
Tue Aug 26 23:36:33 UTC 2014
Control: tag -1 - moreinfo unreproducible
John Wright <jsw at debian.org> writes:
> On Fri, Dec 14, 2012 at 02:31:03PM +0000, Ansgar Burchardt wrote:
>> Package: python-debian
>> Version: 0.1.21+nmu2
>> Severity: important
>>
>> debian.deb822 does not handle signed data properly and can be tricked into
>> processing unsigned data while thinking the data is signed.
>>
>> I have attached an example program and *.dsc demonstrating the problem: it will
>> output "gnupg", but the Source field in the signed part of the file actually
>> says "dpkg".
>>
>> See also #695855.
>
> Thanks for the report. Unfortunately (or fortunately, depending on your
> point of view), I cannot reproduce this, either with 0.1.22 or
> 0.1.21+nmu2. (Because the keyring has also changed, I had to replace
> the signed portion with a different signed .dsc for dpkg in order for
> i.valid() to return True, but the end result was that d['Source'] is
> 'dpkg' and not 'gnupg' as in the report.)
There are subtle changes to the signed part that are easy to miss. I've
attached an updated example .dsc (which is signed with a key still in
the keyring).
Ansgar
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test.dsc
URL: <http://lists.alioth.debian.org/pipermail/pkg-python-debian-maint/attachments/20140827/29a67a38/attachment.ksh>
More information about the pkg-python-debian-maint
mailing list