* SECURITY UPDATE: InRelease verification bypass

  - CVE-2013-1051

* apt-pkg/deb/debmetaindex.cc,
  test/integration/test-bug-595691-empty-and-broken-archive-files,
  test/integration/test-releasefile-verification:
  - disable InRelease downloading until the verification issue is
    fixed, thanks to Ansgar Burchardt for finding the flaw

1 files changed, 14 insertions, 7 deletions

diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index bcc617da7..6c191fd95 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -236,16 +236,23 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const
 	 new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description,
 			 (*Target)->ShortDesc, HashString());
       }
+
+      // this is normally created in pkgAcqMetaSig, but if we run
+      // in --print-uris mode, we add it here
+      new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
+			  MetaIndexInfo("Release"), "Release",
+			  MetaIndexURI("Release.gpg"),
+			  ComputeIndexTargets(),
+			  new indexRecords (Dist));
    }
 
-	new pkgAcqMetaClearSig(Owner, MetaIndexURI("InRelease"),
-		MetaIndexInfo("InRelease"), "InRelease",
-		MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
-		MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg",
-		ComputeIndexTargets(),
-		new indexRecords (Dist));
+   new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
+		     MetaIndexInfo("Release.gpg"), "Release.gpg",
+		     MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
+		     ComputeIndexTargets(),
+		     new indexRecords (Dist));
 
-	return true;
+   return true;
 }
 
 void debReleaseIndex::SetTrusted(bool const Trusted)