=== modified file 'apt-pkg/acquire-item.cc' --- apt-pkg/acquire-item.cc 2011-04-26 20:45:31 +0000 +++ apt-pkg/acquire-item.cc 2011-05-30 10:39:20 +0000 @@ -894,6 +894,26 @@ void pkgAcqIndex::Done(string Message,un ReportMirrorFailure("HashChecksumFailure"); return; } + + /* Verify the index file for correctness (all indexes must + * have a Package field) (LP: #346386) (Closes: #195301) */ + { + FileFd fd(DestFile, FileFd::ReadOnly); + pkgTagSection sec; + pkgTagFile tag(&fd); + + if (!tag.Step(sec)) { + Status = StatError; + _error->DumpErrors(); + Rename(DestFile,DestFile + ".FAILED"); + return; + } else if (!sec.Exists("Package")) { + Status = StatError; + ErrorText = _("Not a valid index file, missing Package field"); + return; + } + } + // Done, move it into position string FinalFile = _config->FindDir("Dir::State::lists"); FinalFile += URItoFileName(RealURI); @@ -1330,6 +1350,13 @@ void pkgAcqMetaIndex::AuthDone(string Me /*}}}*/ void pkgAcqMetaIndex::QueueIndexes(bool verify) /*{{{*/ { + /* Reject invalid, existing Release files (LP: #346386) (Closes: #195301) */ + if (!verify && FileExists(DestFile) && !MetaIndexParser->Load(DestFile)) + { + Status = StatError; + ErrorText = MetaIndexParser->ErrorText; + return; + } for (vector ::const_iterator Target = IndexTargets->begin(); Target != IndexTargets->end(); Target++) === modified file 'debian/changelog' --- debian/changelog 2011-05-25 12:45:04 +0000 +++ debian/changelog 2011-05-30 10:37:30 +0000 @@ -4,6 +4,9 @@ apt (0.8.15) UNRELEASED; urgency=low * apt-pkg/depcache.cc: - Really release action groups only once (Closes: #622744) - Make purge work again for config-files (LP: #244598) (Closes: #150831) + * apt-pkg/acquire-item.cc: + - Reject obviously invalid Packages files, and Release files without hashes + (LP: #346386) (Closes: #195301) * debian/apt.cron.daily: - Check power after wait, patch by manuel-soto (LP: #705269) * debian/control: