Merge remote-tracking branch 'mvo/bugfix/update-progress-reporting' into debian/exper...

[apt.git] / apt-pkg / acquire-item.cc

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index d347efa54ad452083b4e5f9fd73b638342eaa8fc..913764f64ce04fdc91238a0f3066a4b29209bf50 100644 (file)
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1470,9 +1470,20 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash,   /
       }
       else
       {
+         // FIXME: move this into pkgAcqMetaClearSig::Done on the next
+         //        ABI break
+
+         // if we expect a ClearTextSignature (InRelase), ensure that
+         // this is what we get and if not fail to queue a 
+         // Release/Release.gpg, see #346386
+         if (SigFile == DestFile && !StartsWithGPGClearTextSignature(DestFile))
+         {
+            Failed(Message, Cfg);
+            return;
+         }
+
          // There was a signature file, so pass it to gpgv for
          // verification
-
          if (_config->FindB("Debug::pkgAcquire::Auth", false))
             std::cerr << "Metaindex acquired, queueing gpg verification ("
                       << SigFile << "," << DestFile << ")\n";
@@ -2136,7 +2147,8 @@ void pkgAcqArchive::Done(string Message,unsigned long long Size,string CalcHash,
    }
    
    // Check the hash
-   if(ExpectedHash.toStr() != CalcHash)
+   // FIXME: could this empty() check impose *any* sort of security issue?
+   if(ExpectedHash.empty() == false && ExpectedHash.toStr() != CalcHash)
    {
       RenameOnError(HashSumMismatch);
       return;