apt: security fix

See https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353.
2019-01-22 23:04:53 +02:00 · 2019-01-22 23:04:53 +02:00 · 4958548d79
commit 4958548d79
parent a976fd4223
2 changed files with 18 additions and 1 deletions
--- a/packages/apt/build.sh
+++ b/packages/apt/build.sh
@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Front-end for the dpkg package manager"
 TERMUX_PKG_LICENSE="GPL-2.0"
 TERMUX_PKG_DEPENDS="libcurl, liblzma, dpkg, gpgv, libc++, termux-exec"
 TERMUX_PKG_VERSION=1.4.8
-TERMUX_PKG_REVISION=8
+TERMUX_PKG_REVISION=9
 TERMUX_PKG_SHA256=767ad7d6efb64cde52faececb7d3c0bf49800b9fe06f3a5b0132ab4c01a5b8f8
 TERMUX_PKG_SRCURL=http://ftp.debian.org/debian/pool/main/a/apt/apt_${TERMUX_PKG_VERSION}.tar.xz
 TERMUX_PKG_EXTRA_CONFIGURE_ARGS="
--- a/packages/apt/fix-CVE-2019-3462.patch
+++ b/packages/apt/fix-CVE-2019-3462.patch
@ -0,0 +1,17 @@
+diff -uNr apt-1.4.8/apt-pkg/acquire-method.cc apt-1.4.8.mod/apt-pkg/acquire-method.cc
+--- apt-1.4.8/apt-pkg/acquire-method.cc	2017-09-13 19:47:33.000000000 +0300
+++ apt-1.4.8.mod/apt-pkg/acquire-method.cc	2019-01-22 23:03:29.751025868 +0200
+@@ -458,6 +458,13 @@
+  * the worker will enqueue again later on to the right queue */
+ void pkgAcqMethod::Redirect(const string &NewURI)
+ {
+   if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
+   {
+       _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
+       Fail();
+       return;
+   }
+
+    std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
+ 	     << "New-URI: " << NewURI << "\n"
+ 	     << "\n" << std::flush;