Fix regression for cdrom: sources from latest security update

Skip a reverify for cdrom: sources. The reverify step is actually
harmful here because the apt-cdrom add code uses the indexcopy.cc
which will "normalize" the Packages file from the cdrom when it
writes it to the local disk. This leads to changing the "MD5sum"
field (notice the lower case "s") on the cdrom Packages file to
a "MD5Sum" field on the local file in /var/lib/apt/lists. Which
of course alters the hash and makes apt fail to reverify the file.

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 5df43726b19237e478c09917d440448e52784ab5..36c0fa567a5f4c442467660a764288a3f6c2927d 100644 (file)
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1141,6 +1141,12 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
    else
       Local = true;
 
+   // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
+   // file when its doing the indexcopy
+   if (RealURI.substr(0,6) == "cdrom:" &&
+       StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+      return;
+
    // The files timestamp matches, for non-local URLs reverify the local
    // file, for local file, uncompress again to ensure the hashsum is still
    // matching the Release file