Hi,
On 12/14/2012 02:51 PM, Guillem Jover wrote:
>> This happens as Dpkg::Control::Hash skips until an empty line:
>>
>> 145 } elsif (m/^-----BEGIN PGP SIGNED MESSAGE/) {
>> 146 $expect_pgp_sig = 1;
>> 147 if ($$self->{'allow_pgp'}) {
>> 148 # Skip PGP headers
>> 149 while (<$fh>) {
>> 150 last if m/^$/;
>> 151 }
>>
>> However one can add trailing whitespace without breaking the signature
>> causing
>> the code to skip until the second section.
>
> Nice catch! I'm preparing a tiny fix, and I'm going over RFC4880 to see
> if there's any other issues to take care of. Will most probably ask the
> RT if they'd be fine including such fix for wheezy.
There are quite a lot of them. Other fun things to abuse include the
wrong markers in line 145 or dash-escaping text.
Sadly I'm not sure of a painless way to safely extract the data that gpg
(gpgv) actually checked the signature for: gpgv has no option for this
and with gpg you only get the output when using something other than
--verify, but then you have to check the output on --status-fd for the
existance of a valid signature :/
I did file a wishlist request against gnupg to provide an option that
outputs the data as well as checking the signature (#695855).
As I found this problem in quite a lot of packages, I'll probably write
a mail to d-devel later. Maybe somebody else has a better idea how to
address this problem.
Ansgar
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
