* lp:~mvo/apt/add-glob-function:

[apt.git] / apt-pkg / acquire-item.cc

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index ca40b0bd77b2e30ec23fac6340076bd4c3377d80..665dd427ef68af3075ed58b899abcd2d1d851dee 100644 (file)
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1235,9 +1235,20 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash,   /
       }
       else
       {
+         // FIXME: move this into pkgAcqMetaClearSig::Done on the next
+         //        ABI break
+
+         // if we expect a ClearTextSignature (InRelase), ensure that
+         // this is what we get and if not fail to queue a 
+         // Release/Release.gpg, see #346386
+         if (SigFile == DestFile && !StartsWithGPGClearTextSignature(DestFile))
+         {
+            Failed(Message, Cfg);
+            return;
+         }
+
          // There was a signature file, so pass it to gpgv for
          // verification
-
          if (_config->FindB("Debug::pkgAcquire::Auth", false))
             std::cerr << "Metaindex acquired, queueing gpg verification ("
                       << SigFile << "," << DestFile << ")\n";
@@ -1395,7 +1406,12 @@ void pkgAcqMetaIndex::QueueIndexes(bool verify)                          /*{{{*/
                                (*Target)->ShortDesc, ExpectedIndexHash);
         else if (transInRelease == false || MetaIndexParser->Exists((*Target)->MetaKey) == true)
         {
-           new pkgAcqIndexTrans(Owner, *Target, ExpectedIndexHash, MetaIndexParser);
+           if (_config->FindB("Acquire::PDiffs",true) == true && transInRelease == true &&
+               MetaIndexParser->Exists(string((*Target)->MetaKey).append(".diff/Index")) == true)
+              new pkgAcqDiffIndex(Owner, (*Target)->URI, (*Target)->Description,
+                                  (*Target)->ShortDesc, ExpectedIndexHash);
+           else
+              new pkgAcqIndexTrans(Owner, *Target, ExpectedIndexHash, MetaIndexParser);
         }
         continue;
       }
@@ -1593,6 +1609,13 @@ void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*
 {
    if (AuthPass == false)
    {
+      // Remove the 'old' InRelease file if we try Release.gpg now as otherwise
+      // the file will stay around and gives a false-auth impression (CVE-2012-0214)
+      string FinalFile = _config->FindDir("Dir::State::lists");
+      FinalFile.append(URItoFileName(RealURI));
+      if (FileExists(FinalFile))
+        unlink(FinalFile.c_str());
+
       new pkgAcqMetaSig(Owner,
                        MetaSigURI, MetaSigURIDesc, MetaSigShortDesc,
                        MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,
@@ -1798,7 +1821,18 @@ bool pkgAcqArchive::QueueNext()
         else
            PartialSize = Buf.st_size;
       }
-      
+
+      // Disables download of archives - useful if no real installation follows,
+      // e.g. if we are just interested in proposed installation order
+      if (_config->FindB("Debug::pkgAcqArchive::NoQueue", false) == true)
+      {
+        Complete = true;
+        Local = true;
+        Status = StatDone;
+        StoreFilename = DestFile = FinalFile;
+        return true;
+      }
+
       // Create the item
       Local = false;
       Desc.URI = Index->ArchiveURI(PkgFile);