Bug#782276: python-debian: Insecure parsing of OpenPGP Armor Header lines
Guillem Jover
guillem at debian.org
Thu Apr 9 21:19:29 UTC 2015
Source: python-debian
Source-Version: 0.1.26
Severity: important
Tags: security
[ Because I've not tried to check the extent of the vulnerability,
I've set the severity to important, if it is really bad then it
probably deserves to be serious. ]
Hi!
While dealing with the dpkg security issue (fixed in 1.16.16, and the
upcoming 1.17.25), I checked other implementations and found that it
also affects the python-debian modules.
The parser is too lax and accepts any whitespace while GnuPG only
accepts [\r\t ] at the end of an Armor Header line, which means that a
message could be doctored to include lines that will be ignored by GnuPG
but parsed by the python-debian modules.
The attached untested patch should in principle fix this issue.
Thanks,
Guillem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-deb822-Fix-OpenPGP-Armor-Header-Line-parsing.patch
Type: text/x-diff
Size: 1134 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-python-debian-maint/attachments/20150409/c88e154b/attachment.patch>
More information about the pkg-python-debian-maint
mailing list