AGWA · September 23, 2014 17:38
diff --git a/apt.diff b/apt.diff
 diff -ru _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc
 --- _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc	2014-09-17 07:30:35.000000000 -0700
 +++ _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc	2014-09-22 23:56:57.000000000 -0700
 @@ -970,6 +970,12 @@
    else
       Local = true;
 
 +   // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
 +   // file when its doing the indexcopy
 +   if (RealURI.substr(0,6) == "cdrom:" &&
 +       StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
 +      return;
 +
    // The files timestamp matches
    if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
    {
 diff -ru _1/apt-0.9.7.9+deb7u4/debian/changelog _2/apt-0.9.7.9+deb7u5/debian/changelog
 --- _1/apt-0.9.7.9+deb7u4/debian/changelog	2014-09-18 02:32:09.000000000 -0700
 +++ _2/apt-0.9.7.9+deb7u5/debian/changelog	2014-09-23 00:07:36.000000000 -0700
 @@ -1,3 +1,15 @@
 +apt (0.9.7.9+deb7u5) wheezy-security; urgency=high
 +
 +  * SECURITY UPDATE:
 +    - methods/http.cc: fix potential buffer overflow, thanks to the
 +      Google Security Team (CVE-2014-6273)
 +  * fix regression when Dir::state::lists is set to a relative
 +    path (closes: 762160)
 +  * fix regression when cdrom: sources got rewriten by apt-cdrom
 +    add
 +
 + -- Michael Vogt <[email protected]>  Tue, 23 Sep 2014 08:56:27 +0200
 +
 apt (0.9.7.9+deb7u4) wheezy-security; urgency=high
 
   * Fix regression in 0.9.7.9+deb7u3 when file:/// sources
 diff -ru _1/apt-0.9.7.9+deb7u4/methods/copy.cc _2/apt-0.9.7.9+deb7u5/methods/copy.cc
 --- _1/apt-0.9.7.9+deb7u4/methods/copy.cc	2014-08-20 01:32:37.000000000 -0700
 +++ _2/apt-0.9.7.9+deb7u5/methods/copy.cc	2014-09-23 00:08:18.000000000 -0700
 @@ -55,7 +55,7 @@
 bool CopyMethod::Fetch(FetchItem *Itm)
 {
    URI Get = Itm->Uri;
 -   std::string File = Get.Path;
 +   std::string File = Get.Host + Get.Path; // To account for relative paths
 
    // Stat the file and send a start message
    struct stat Buf;
 diff -ru _1/apt-0.9.7.9+deb7u4/methods/http.cc _2/apt-0.9.7.9+deb7u5/methods/http.cc
 --- _1/apt-0.9.7.9+deb7u4/methods/http.cc	2013-03-01 02:51:21.000000000 -0800
 +++ _2/apt-0.9.7.9+deb7u5/methods/http.cc	2014-09-18 05:26:56.000000000 -0700
 @@ -666,18 +666,14 @@
    URI Uri = Itm->Uri;
 
    // The HTTP server expects a hostname with a trailing :port
 -   char Buf[1000];
 +   std::string Buf;
    string ProperHost = Uri.Host;
    if (Uri.Port != 0)
    {
 -      sprintf(Buf,":%u",Uri.Port);
 +      strprintf(Buf,":%u",Uri.Port);
       ProperHost += Buf;
    }   
       
 -   // Just in case.
 -   if (Itm->Uri.length() >= sizeof(Buf))
 -       abort();
 -       
    /* Build the request. We include a keep-alive header only for non-proxy
       requests. This is to tweak old http/1.0 servers that do support keep-alive
       but not HTTP/1.1 automatic keep-alive. Doing this with a proxy server 
 @@ -685,32 +681,34 @@
       pass it on, HTTP/1.1 says the connection should default to keep alive
       and we expect the proxy to do this */
    if (Proxy.empty() == true || Proxy.Host.empty())
 -      sprintf(Buf,"GET %s HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\n",
 +      strprintf(Buf, "GET %s HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\n",
 	      QuoteString(Uri.Path,"~").c_str(),ProperHost.c_str());
    else
    {
       /* Generate a cache control header if necessary. We place a max
        	 cache age on index files, optionally set a no-cache directive
        	 and a no-store directive for archives. */
 -      sprintf(Buf,"GET %s HTTP/1.1\r\nHost: %s\r\n",
 +      strprintf(Buf,"GET %s HTTP/1.1\r\nHost: %s\r\n",
 	      Itm->Uri.c_str(),ProperHost.c_str());
    }
    // generate a cache control header (if needed)
    if (_config->FindB("Acquire::http::No-Cache",false) == true) 
    {
 -      strcat(Buf,"Cache-Control: no-cache\r\nPragma: no-cache\r\n");
 +      Buf += "Cache-Control: no-cache\r\nPragma: no-cache\r\n";
    }
    else
    {
       if (Itm->IndexFile == true) 
       {
 -	 sprintf(Buf+strlen(Buf),"Cache-Control: max-age=%u\r\n",
 -		 _config->FindI("Acquire::http::Max-Age",0));
 +         std::string Tmp;
 +	 strprintf(Tmp, "Cache-Control: max-age=%u\r\n",
 +                   _config->FindI("Acquire::http::Max-Age",0));
 +         Buf += Tmp;
       }
       else
       {
 	 if (_config->FindB("Acquire::http::No-Store",false) == true)
 -	    strcat(Buf,"Cache-Control: no-store\r\n");
 +	    Buf += "Cache-Control: no-store\r\n";
       }
    }
 
 @@ -724,7 +722,7 @@
       size_t const filepos = Itm->Uri.find_last_of('/');
       string const file = Itm->Uri.substr(filepos + 1);
       if (flExtension(file) == file)
 -	 strcat(Buf,"Accept: text/*\r\n");
 +	 Buf += "Accept: text/*\r\n";
    }
 
    string Req = Buf;
 @@ -734,7 +732,7 @@
    if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
    {
       // In this case we send an if-range query with a range header
 -      sprintf(Buf,"Range: bytes=%lli-\r\nIf-Range: %s\r\n",(long long)SBuf.st_size - 1,
 +      strprintf(Buf, "Range: bytes=%lli-\r\nIf-Range: %s\r\n",(long long)SBuf.st_size - 1,
 	      TimeRFC1123(SBuf.st_mtime).c_str());
       Req += Buf;
    }
 @@ -742,7 +740,7 @@
    {
       if (Itm->LastModified != 0)
       {
 -	 sprintf(Buf,"If-Modified-Since: %s\r\n",TimeRFC1123(Itm->LastModified).c_str());
 +	 strprintf(Buf,"If-Modified-Since: %s\r\n",TimeRFC1123(Itm->LastModified).c_str());
 	 Req += Buf;
       }
    }
	diff -ru _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc
	--- _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc 2014-09-17 07:30:35.000000000 -0700
	+++ _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc 2014-09-22 23:56:57.000000000 -0700
	@@ -970,6 +970,12 @@
	else
	Local = true;

	+ // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
	+ // file when its doing the indexcopy
	+ if (RealURI.substr(0,6) == "cdrom:" &&
	+ StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
	+ return;
	+
	// The files timestamp matches
	if (!Local && StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
	{
	diff -ru _1/apt-0.9.7.9+deb7u4/debian/changelog _2/apt-0.9.7.9+deb7u5/debian/changelog
	--- _1/apt-0.9.7.9+deb7u4/debian/changelog 2014-09-18 02:32:09.000000000 -0700
	+++ _2/apt-0.9.7.9+deb7u5/debian/changelog 2014-09-23 00:07:36.000000000 -0700
	@@ -1,3 +1,15 @@
	+apt (0.9.7.9+deb7u5) wheezy-security; urgency=high
	+
	+ * SECURITY UPDATE:
	+ - methods/http.cc: fix potential buffer overflow, thanks to the
	+ Google Security Team (CVE-2014-6273)
	+ * fix regression when Dir::state::lists is set to a relative
	+ path (closes: 762160)
	+ * fix regression when cdrom: sources got rewriten by apt-cdrom
	+ add
	+
	+ -- Michael Vogt <[email protected]> Tue, 23 Sep 2014 08:56:27 +0200
	+
	apt (0.9.7.9+deb7u4) wheezy-security; urgency=high

	* Fix regression in 0.9.7.9+deb7u3 when file:/// sources
	diff -ru _1/apt-0.9.7.9+deb7u4/methods/copy.cc _2/apt-0.9.7.9+deb7u5/methods/copy.cc
	--- _1/apt-0.9.7.9+deb7u4/methods/copy.cc 2014-08-20 01:32:37.000000000 -0700
	+++ _2/apt-0.9.7.9+deb7u5/methods/copy.cc 2014-09-23 00:08:18.000000000 -0700
	@@ -55,7 +55,7 @@
	bool CopyMethod::Fetch(FetchItem *Itm)
	{
	URI Get = Itm->Uri;
	- std::string File = Get.Path;
	+ std::string File = Get.Host + Get.Path; // To account for relative paths

	// Stat the file and send a start message
	struct stat Buf;
	diff -ru _1/apt-0.9.7.9+deb7u4/methods/http.cc _2/apt-0.9.7.9+deb7u5/methods/http.cc
	--- _1/apt-0.9.7.9+deb7u4/methods/http.cc 2013-03-01 02:51:21.000000000 -0800
	+++ _2/apt-0.9.7.9+deb7u5/methods/http.cc 2014-09-18 05:26:56.000000000 -0700
	@@ -666,18 +666,14 @@
	URI Uri = Itm->Uri;

	// The HTTP server expects a hostname with a trailing :port
	- char Buf[1000];
	+ std::string Buf;
	string ProperHost = Uri.Host;
	if (Uri.Port != 0)
	{
	- sprintf(Buf,":%u",Uri.Port);
	+ strprintf(Buf,":%u",Uri.Port);
	ProperHost += Buf;
	}

	- // Just in case.
	- if (Itm->Uri.length() >= sizeof(Buf))
	- abort();
	-
	/* Build the request. We include a keep-alive header only for non-proxy
	requests. This is to tweak old http/1.0 servers that do support keep-alive
	but not HTTP/1.1 automatic keep-alive. Doing this with a proxy server
	@@ -685,32 +681,34 @@
	pass it on, HTTP/1.1 says the connection should default to keep alive
	and we expect the proxy to do this */
	if (Proxy.empty() == true \|\| Proxy.Host.empty())
	- sprintf(Buf,"GET %s HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\n",
	+ strprintf(Buf, "GET %s HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\n",
	QuoteString(Uri.Path,"~").c_str(),ProperHost.c_str());
	else
	{
	/* Generate a cache control header if necessary. We place a max
	cache age on index files, optionally set a no-cache directive
	and a no-store directive for archives. */
	- sprintf(Buf,"GET %s HTTP/1.1\r\nHost: %s\r\n",
	+ strprintf(Buf,"GET %s HTTP/1.1\r\nHost: %s\r\n",
	Itm->Uri.c_str(),ProperHost.c_str());
	}
	// generate a cache control header (if needed)
	if (_config->FindB("Acquire::http::No-Cache",false) == true)
	{
	- strcat(Buf,"Cache-Control: no-cache\r\nPragma: no-cache\r\n");
	+ Buf += "Cache-Control: no-cache\r\nPragma: no-cache\r\n";
	}
	else
	{
	if (Itm->IndexFile == true)
	{
	- sprintf(Buf+strlen(Buf),"Cache-Control: max-age=%u\r\n",
	- _config->FindI("Acquire::http::Max-Age",0));
	+ std::string Tmp;
	+ strprintf(Tmp, "Cache-Control: max-age=%u\r\n",
	+ _config->FindI("Acquire::http::Max-Age",0));
	+ Buf += Tmp;
	}
	else
	{
	if (_config->FindB("Acquire::http::No-Store",false) == true)
	- strcat(Buf,"Cache-Control: no-store\r\n");
	+ Buf += "Cache-Control: no-store\r\n";
	}
	}

	@@ -724,7 +722,7 @@
	size_t const filepos = Itm->Uri.find_last_of('/');
	string const file = Itm->Uri.substr(filepos + 1);
	if (flExtension(file) == file)
	- strcat(Buf,"Accept: text/*\r\n");
	+ Buf += "Accept: text/*\r\n";
	}

	string Req = Buf;
	@@ -734,7 +732,7 @@
	if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
	{
	// In this case we send an if-range query with a range header
	- sprintf(Buf,"Range: bytes=%lli-\r\nIf-Range: %s\r\n",(long long)SBuf.st_size - 1,
	+ strprintf(Buf, "Range: bytes=%lli-\r\nIf-Range: %s\r\n",(long long)SBuf.st_size - 1,
	TimeRFC1123(SBuf.st_mtime).c_str());
	Req += Buf;
	}
	@@ -742,7 +740,7 @@
	{
	if (Itm->LastModified != 0)
	{
	- sprintf(Buf,"If-Modified-Since: %s\r\n",TimeRFC1123(Itm->LastModified).c_str());
	+ strprintf(Buf,"If-Modified-Since: %s\r\n",TimeRFC1123(Itm->LastModified).c_str());
	Req += Buf;
	}
	}