Do not parse Status fields from remote sources

This could allow an attacker to mark a package as installed in a
remote package index, as long as the package was not listed in
the dpkg status file.

This way, an attacker could force the installation of a package
during a dist-upgrade, by providing two packages in an index,
an older marked as installed, and a newer - apt would "upgrade"
to the newer version.

1 files changed, 6 insertions, 1 deletions

diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc
index 42eca8677..d88e25e6f 100644
--- a/apt-pkg/deb/deblistparser.cc
+++ b/apt-pkg/deb/deblistparser.cc
@@ -362,7 +362,7 @@ unsigned short debListParser::VersionHash()
    return Result;
 }
 									/*}}}*/
-// ListParser::ParseStatus - Parse the status field			/*{{{*/
+// StatusListParser::ParseStatus - Parse the status field		/*{{{*/
 // ---------------------------------------------------------------------
 /* Status lines are of the form,
      Status: want flag status
@@ -374,6 +374,11 @@ unsigned short debListParser::VersionHash()
 bool debListParser::ParseStatus(pkgCache::PkgIterator &Pkg,
 				pkgCache::VerIterator &Ver)
 {
+   return true;
+}
+bool debStatusListParser::ParseStatus(pkgCache::PkgIterator &Pkg,
+				pkgCache::VerIterator &Ver)
+{
    const char *Start;
    const char *Stop;
    if (Section.Find("Status",Start,Stop) == false)