← Back to branch summary

~ubuntu-branches/ubuntu/oneiric/aptdaemon/oneiric-updates

« back to all changes in this revision

Viewing changes to debian/patches/04_CVE-2012-0944.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2012-03-28 13:46:00 UTC
  • mfrom: (69.1.2 natty-proposed)
  • Revision ID: package-import@ubuntu.com-20120328134600-n96t1g6dhuqsi3lj
Tags: 0.43+bzr697-0ubuntu1.2
https://launchpad.net/bugs/959131
* SECURITY UPDATE: unauthenticated package installation (LP: #959131)
  - debian/patches/04_CVE-2012-0944.patch: properly handle
    unauthenticated packages in aptdaemon/worker.py.
  - CVE-2012-0944
* This package does _not_ contain the changes from 0.43+bzr697-0ubuntu1.1
  in oneiric-proposed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/04_CVE-2012-0944.patch
 
1
Description: Fix unnoticed installation of unauthenticated packages
 
2
 Aptdaemon only checks for unauthenticated packages during the simulation of
 
3
 a transaction. It should also check directly before applying the changes
 
4
 to catch changes between the simulation and the application.
 
5
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/959131
 
6
Author: Michael Vogt <michael.vogt@ubuntu.com>
 
7
 
 
8
Index: aptdaemon-0.43+bzr697/aptdaemon/worker.py
 
9
===================================================================
 
10
--- aptdaemon-0.43+bzr697.orig/aptdaemon/worker.py      2012-03-28 13:41:46.000000000 -0400
 
11
+++ aptdaemon-0.43+bzr697/aptdaemon/worker.py   2012-03-28 13:45:48.645868886 -0400
 
12
@@ -906,9 +906,13 @@
 
13
                                         pkg.name)
 
14
         # Check if any of the cache changes get installed from an
 
15
         # unauthenticated repository""
 
16
+        trans.unauthenticated = self._get_unauthenticated()
 
17
         if not trans.allow_unauthenticated and trans.unauthenticated:
 
18
             raise TransactionFailed(ERROR_PACKAGE_UNAUTHENTICATED,
 
19
                                     " ".join(sorted(trans.unauthenticated)))
 
20
+        if trans.unauthenticated:
 
21
+            log.warn("unauthenticated packages but forcing install")
 
22
+
 
23
         if trans.cancelled:
 
24
             raise TransactionCancelled()
 
25
         trans.cancellable = False