]> git.saurik.com Git - apt.git/blobdiff - apt-pkg/acquire-item.cc
projects / apt.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
* apt-pkg/acquire-item.cc:
[apt.git] / apt-pkg / acquire-item.cc
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 39ce90ddae56d7f344ceabfb3955a01f4a316105..eda45d7be9a489d825e757cd5c5a9e30f3577216 100644 (file)
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1608,6 +1608,13 @@ void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*
 {
    if (AuthPass == false)
    {
+      // Remove the 'old' InRelease file if we try Release.gpg now as otherwise
+      // the file will stay around and gives a false-auth impression (CVE-2012-0214)
+      string FinalFile = _config->FindDir("Dir::State::lists");
+      FinalFile.append(URItoFileName(RealURI));
+      if (FileExists(FinalFile))
+        unlink(FinalFile.c_str());
+
       new pkgAcqMetaSig(Owner,
                        MetaSigURI, MetaSigURIDesc, MetaSigShortDesc,
                        MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,
APT (for Cydia)