Version in base suite: 1.8.4.1 Base version: python-apt_1.8.4.1 Target version: python-apt_1.8.4.2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-apt/python-apt_1.8.4.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-apt/python-apt_1.8.4.2.dsc data/templates/Debian.mirrors | 52 ++++-------- data/templates/Ubuntu.mirrors | 180 ++++++++++++++++++++++++++---------------- debian/changelog | 15 +++ python/apt_instmodule.cc | 1 python/apt_instmodule.h | 2 python/arfile.cc | 81 +++++++++++++----- python/generic.h | 19 ++++ python/tag.cc | 7 - python/tarfile.cc | 8 - tests/test_cve_2020_27351.py | 106 ++++++++++++++++++++++++ 10 files changed, 335 insertions(+), 136 deletions(-) diff -Nru python-apt-1.8.4.1/data/templates/Debian.mirrors python-apt-1.8.4.2/data/templates/Debian.mirrors --- python-apt-1.8.4.1/data/templates/Debian.mirrors 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/data/templates/Debian.mirrors 2020-12-01 19:18:12.000000000 +0000 @@ -18,13 +18,11 @@ http://ftp.au.debian.org/debian/ http://mirror.aarnet.edu.au/debian/ http://mirror.amaze.com.au/debian/ -http://mirror.datamossa.io/debian/ http://mirror.intergrid.com.au/debian/ http://mirror.launtel.net.au/debian/ http://mirror.linux.org.au/debian/ http://mirror.overthewire.com.au/debian/ http://mirror.realcompute.io/debian/ -http://mirror.waia.asn.au/debian/ #LOC:BE http://ftp.be.debian.org/debian/ http://ftp.belnet.be/debian/ @@ -41,9 +39,9 @@ #LOC:BR http://alcateia.ufscar.br/debian/ http://debian.c3sl.ufpr.br/debian/ +http://debian.itsbrasil.net/debian/ http://debian.pop-sc.rnp.br/debian/ http://ftp.br.debian.org/debian/ -http://mirror.nbtelecom.com.br/debian/ http://mirror.unesp.br/debian/ http://repositorio.nti.ufal.br/debian/ #LOC:BY @@ -69,7 +67,6 @@ #LOC:CL http://debian.netlinux.cl/debian/ http://debian.redlibre.cl/debian/ -http://debian.utalca.cl/debian/ http://ftp.cl.debian.org/debian/ http://mirror.insacom.cl/debian/ http://mirror.ufro.cl/debian/ @@ -78,6 +75,7 @@ http://ftp2.cn.debian.org/debian/ http://mirror.lzu.edu.cn/debian/ http://mirrors.163.com/debian/ +http://mirrors.bfsu.edu.cn/debian/ http://mirrors.huaweicloud.com/debian/ http://mirrors.tuna.tsinghua.edu.cn/debian/ http://mirrors.ustc.edu.cn/debian/ @@ -95,6 +93,7 @@ http://ftp.zcu.cz/debian/ http://merlin.fit.vutbr.cz/debian/ http://mirror.dkm.cz/debian/ +http://mirror.it4i.cz/debian/ #LOC:DE http://artfiles.org/debian/ http://debian.charite.de/debian/ @@ -102,7 +101,6 @@ http://debian.intergenia.de/debian/ http://debian.mirror.iphh.net/debian/ http://debian.mirror.lrz.de/debian/ -http://debian.mirror.net-d-sign.de/debian/ http://debian.tu-bs.de/debian/ http://debian.uni-duisburg-essen.de/debian/ http://ftp-stud.hs-esslingen.de/debian/ @@ -124,9 +122,12 @@ http://ftp2.de.debian.org/debian/ http://mirror.23media.de/debian/ http://mirror.de.leaseweb.net/debian/ +http://mirror.dogado.de/debian/ http://mirror.eu.oneandone.net/debian/ http://mirror.ipb.de/debian/ +http://mirror.k-cix.de/debian/ http://mirror.netcologne.de/debian/ +http://mirror.netzwerge.de/debian/ http://mirror.united-gameserver.de/debian/ http://mirror.wtnet.de/debian/ http://packages.hs-regensburg.de/debian/ @@ -134,7 +135,6 @@ #LOC:DK http://ftp.dk.debian.org/debian/ http://mirror.asergo.com/debian/ -http://mirror.netcrunch.dk/debian/ http://mirror.one.com/debian/ http://mirrors.dotsrc.org/debian/ http://mirrors.rackhosting.com/debian/ @@ -149,23 +149,22 @@ http://ftp.caliu.cat/debian/ http://ftp.cica.es/debian/ http://ftp.es.debian.org/debian/ -http://ftp.gul.uc3m.es/debian/ http://ftp.udc.es/debian/ http://mirror.librelabucm.org/debian/ +http://repo.ifca.es/debian/ http://softlibre.unizar.es/debian/ http://ulises.hostalia.com/debian/ #LOC:FI http://www.nic.funet.fi/debian/ #LOC:FR http://deb-mir1.naitways.net/debian/ +http://debian.apt-mirror.de/debian/ http://debian.mirror.ate.info/ -http://debian.mirrors.ovh.net/debian/ http://debian.polytech-lille.fr/debian/ http://debian.proxad.net/debian/ http://debian.univ-lorraine.fr/debian/ http://debian.univ-reims.fr/debian/ http://debian.univ-tlse2.fr/debian/ -http://ftp.crihan.fr/debian/ http://ftp.ec-m.fr/debian/ http://ftp.fr.debian.org/debian/ http://ftp.iut-bm.univ-fcomte.fr/debian/ @@ -179,23 +178,21 @@ #LOC:GB http://debian.mirror.uk.sargasso.net/debian/ http://debian.mirrors.uk2.net/debian/ -http://debian.serverspace.co.uk/debian/ http://free.hands.com/debian/ http://ftp.is.debian.org/debian/ http://ftp.ticklers.org/debian/ http://ftp.uk.debian.org/debian/ http://mirror.bytemark.co.uk/debian/ +http://mirror.cov.ukservers.com/debian/ http://mirror.lchost.net/debian/ http://mirror.mythic-beasts.com/debian/ http://mirror.ox.ac.uk/debian/ http://mirror.positive-internet.com/debian/ -http://mirror.sax.uk.as61049.net/debian/ http://mirror.sov.uk.goscomb.net/debian/ http://mirror.sucs.swan.ac.uk/pub/linux/debian/ http://mirror.vorboss.net/debian/ http://mirrors.coreix.net/debian/ http://mirrors.m247.com/debian/ -http://mirrors.melbourne.co.uk/debian/ http://mirrorservice.org/sites/ftp.debian.org/debian/ http://ukdebian.mirror.anlx.net/debian/ #LOC:GE @@ -226,6 +223,7 @@ http://debian.co.il/debian/ http://mirror.isoc.org.il/pub/debian/ #LOC:IN +http://debian.sbnw.in/debian/ http://debianmirror.nkn.in/debian/ http://debmirror.hbcse.tifr.res.in/debian/ http://mirror.cse.iitk.ac.in/debian/ @@ -256,11 +254,14 @@ http://debian.mirror.liquidtelecom.com/debian/ #LOC:KG http://mir.linux.kg/debian/ +#LOC:KH +http://mirror.cambo.host/debian/ #LOC:KR http://ftp.harukasan.org/debian/ http://ftp.kaist.ac.kr/debian/ http://ftp.kr.debian.org/debian/ http://ftp.lanet.kr/debian/ +http://mirror.anigil.com/debian/ #LOC:KZ http://mirror.hoster.kz/debian/ http://mirror.ps.kz/debian/ @@ -281,17 +282,13 @@ http://mirrors.mivocloud.com/debian/ #LOC:MK http://mirror.onevip.mk/debian/ -#LOC:MX -http://ftp.mx.debian.org/debian/ -http://mmc.geofisica.unam.mx/debian/ #LOC:NC http://debian.nautile.nc/debian/ http://ftp.nc.debian.org/debian/ +http://mirror.lagoon.nc/debian/ #LOC:NL http://debian.mirror.cambrium.nl/debian/ http://debian.snt.utwente.nl/debian/ -http://debian.voipgrow.com/debian/ -http://debmirror.tuxis.nl/debian/ http://ftp.debian.org/debian/ http://ftp.debian.xs4all.net/debian/ http://ftp.nl.debian.org/debian/ @@ -304,7 +301,6 @@ http://mirror.nl.datapacket.com/debian/ http://mirror.nl.leaseweb.net/debian/ http://mirror.novg.net/debian/ -http://mirror.proserve.nl/debian/ http://mirror.schoemaker.systems/debian/ http://mirror.seedvps.com/debian/ http://mirror.serverius.net/debian/ @@ -314,11 +310,8 @@ http://ftp.no.debian.org/debian/ http://ftp.uio.no/debian/ #LOC:NZ -http://ftp.citylink.co.nz/debian/ http://ftp.nz.debian.org/debian/ http://mirror.fsmg.org.nz/debian/ -#LOC:PF -http://repository.linux.pf/debian/ #LOC:PH http://mirror.pregi.net/debian/ http://mirror.rise.ph/debian/ @@ -326,7 +319,6 @@ http://debian.inhost.pro/debian/ http://ftp.agh.edu.pl/debian/ http://ftp.icm.edu.pl/pub/Linux/debian/ -http://ftp.man.poznan.pl/linux/debian/ http://ftp.pl.debian.org/debian/ http://ftp.task.gda.pl/debian/ #LOC:PT @@ -334,12 +326,11 @@ http://ftp.eq.uc.pt/software/Linux/debian/ http://ftp.pt.debian.org/debian/ http://ftp.rnl.tecnico.ulisboa.pt/pub/debian/ +http://mirrors.ptisp.pt/debian/ http://mirrors.up.pt/debian/ #LOC:RE http://depot-debian.univ-reunion.fr/debian/ #LOC:RO -http://ftp.ro.debian.org/debian/ -http://ftp.upcnet.ro/debian/ http://mirrors.nav.ro/debian/ http://mirrors.nxthost.com/debian/ http://mirrors.pidginhost.com/debian/ @@ -361,6 +352,7 @@ http://ftp.acc.umu.se/debian/ http://ftp.fi.debian.org/debian/ http://ftp.se.debian.org/debian/ +http://ftpmirror1.infania.net/debian/ http://mirror.linux.pizza/debian/ http://mirror.zetup.net/debian/ http://mirrors.glesys.net/debian/ @@ -375,7 +367,6 @@ http://ftp.sk.debian.org/debian/ #LOC:SV http://debian.salud.gob.sv/debian/ -http://debian.ues.edu.sv/debian/ http://ftp.sv.debian.org/debian/ #LOC:TH http://ftp.debianclub.org/debian/ @@ -384,7 +375,6 @@ #LOC:TR http://debian.gnu.gen.tr/debian/ http://ftp.linux.org.tr/debian/ -http://ftp.metu.edu.tr/debian/ http://ftp.tr.debian.org/debian/ #LOC:TW http://debian.cs.nctu.edu.tw/debian/ @@ -394,7 +384,6 @@ http://ftp.tw.debian.org/debian/ http://opensource.nchc.org.tw/debian/ #LOC:UA -http://debian.org.ua/debian/ http://debian.volia.net/debian/ http://mirror.mirohost.net/debian/ #LOC:US @@ -405,18 +394,14 @@ http://debian.ec.as6453.net/debian/ http://debian.gtisc.gatech.edu/debian/ http://debian.mirror.constant.com/debian/ -http://debian.mirrors.pair.com/debian/ http://debian.osuosl.org/debian/ http://debian.uchicago.edu/debian/ http://ftp.us.debian.org/debian/ -http://ftp.utexas.edu/debian/ http://mirror.cc.columbia.edu/debian/ http://mirror.cogentco.com/debian/ http://mirror.keystealth.org/debian/ -http://mirror.math.princeton.edu/pub/debian/ http://mirror.pit.teraswitch.com/debian/ http://mirror.siena.edu/debian/ -http://mirror.sjc02.svwh.net/debian/ http://mirror.steadfast.net/debian/ http://mirror.us.leaseweb.net/debian/ http://mirror.us.oneandone.net/debian/ @@ -430,16 +415,15 @@ http://mirrors.ocf.berkeley.edu/debian/ http://mirrors.syringanetworks.net/debian/ http://mirrors.wikimedia.org/debian/ -http://mirrors.xmission.com/debian/ http://mirrors.xtom.com/debian/ +http://plug-mirror.rcac.purdue.edu/debian/ http://repo.ialab.dsu.edu/debian/ http://us.mirror.nsec.pt/debian/ -http://www.gtlib.gatech.edu/debian/ #LOC:UY http://debian.repo.cure.edu.uy/debian/ #LOC:VN http://debian.xtdv.net/debian/ +http://mirror.bizflycloud.vn/debian/ #LOC:ZA -http://debian.mirror.ac.za/debian/ http://debian.saix.net/ http://ftp.is.co.za/debian/ diff -Nru python-apt-1.8.4.1/data/templates/Ubuntu.mirrors python-apt-1.8.4.2/data/templates/Ubuntu.mirrors --- python-apt-1.8.4.1/data/templates/Ubuntu.mirrors 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/data/templates/Ubuntu.mirrors 2020-12-01 19:18:12.000000000 +0000 @@ -1,33 +1,34 @@ mirror://mirrors.ubuntu.com/mirrors.txt +#LOC:AL +https://al.mirror.kumi.systems/ubuntu/ #LOC:AM http://mirrors.asnet.am/ubuntu/ #LOC:AR +http://mirrors.eze.sysarmy.com/ubuntu/ http://ubuntu.unc.edu.ar/ubuntu/ #LOC:AT http://mirror.easyname.at/ubuntu-archive/ -http://mirror.kumi.systems/ubuntu/ http://ubuntu.anexia.at/ubuntu/ http://ubuntu.inode.at/ubuntu/ http://ubuntu.lagis.at/ubuntu/ http://ubuntu.uni-klu.ac.at/ubuntu/ +https://mirror.kumi.systems/ubuntu-ports/ +https://mirror.kumi.systems/ubuntu/ #LOC:AU http://ftp.iinet.net.au/pub/ubuntu/ http://mirror.aarnet.edu.au/pub/ubuntu/archive/ -http://mirror.as24220.net/pub/ubuntu-archive/ http://mirror.as24220.net/pub/ubuntu/ http://mirror.intergrid.com.au/ubuntu/ http://mirror.internode.on.net/pub/ubuntu/ubuntu/ -http://mirror.launtel.net.au/ubuntu/ http://mirror.netspace.net.au/pub/ubuntu/ http://mirror.overthewire.com.au/ubuntu/ http://mirror.realcompute.io/ubuntu/ http://mirror.solnode.io/ubuntu/releases/ -http://mirror.tcc.wa.edu.au/ubuntu/ -http://mirror.waia.asn.au/ubuntu/ -http://ubuntu.melbourneitmirror.net/archive/ http://ubuntu.mirror.datamossa.io/ubuntu/ -http://ubuntu.mirror.digitalpacific.com.au/archive/ http://ubuntu.mirror.serversaustralia.com.au/ubuntu/ +https://mirror.internet.asn.au/pub/ubuntu/archive/ +https://mirror.launtel.net.au/ubuntu/ +https://ubuntu.mirror.digitalpacific.com.au/archive/ #LOC:AZ http://aze.archive.ubuntu.com/ubuntu/ http://mirror.datacenter.az/ubuntu/ @@ -49,14 +50,15 @@ http://ubuntu.uni-sofia.bg/ubuntu/ #LOC:BR http://mirror.globo.com/ubuntu/archive/ -http://mirror.hostdime.com.br/ubuntu/ http://mirror.ufam.edu.br/ubuntu/ -http://mirror.ufca.edu.br/mirror/ubuntu-archive/ http://mirror.ufscar.br/ubuntu/ http://repositorio.nti.ufal.br/ubuntu/ http://sft.if.usp.br/ubuntu/ http://ubuntu-archive.locaweb.com.br/ubuntu/ http://ubuntu.c3sl.ufpr.br/ubuntu/ +https://ubuntu.itsbrasil.net/ubuntu/ +#LOC:BW +http://mirror.retentionrange.co.bw/ubuntu/ #LOC:BY http://ftp.byfly.by/ubuntu/ http://mirror.datacenter.by/ubuntu/ @@ -70,26 +72,30 @@ http://mirror.csclub.uwaterloo.ca/ubuntu/ http://mirror.it.ubc.ca/ubuntu/ http://mirror.its.dal.ca/ubuntu/ -http://mirror.its.sfu.ca/mirror/ubuntu/ +http://mirror.rcg.sfu.ca/mirror/ubuntu/ http://mirrors.layeronline.com/ubuntu/ http://muug.ca/mirror/ubuntu/ http://ubuntu.bhs.mirrors.ovh.net/ubuntu/ http://ubuntu.ca-west.mirror.fullhost.io/ubuntu/ -http://ubuntu.maxime.vip/ubuntu/ http://ubuntu.mirror.globo.tech/ http://ubuntu.mirror.iweb.ca/ http://ubuntu.mirror.rafal.ca/ubuntu/ +https://mirror.esecuredata.com/ubuntu-archive/ +https://mirror.reenigne.net/ubuntu/ +https://mirrors.switch.ca/ubuntu/ #LOC:CH http://archive.ubuntu.csg.uzh.ch/ubuntu/ http://mirror.init7.net/ubuntu/ http://pkg.adfinis-sygroup.ch/ubuntu/ http://ubuntu.ethz.ch/ubuntu/ #LOC:CL -http://ftp.tecnoera.com/ubuntu/ http://mirror.uchile.cl/ubuntu/ +http://mirror1.cl.netactuate.com/ubuntu/ http://mirrors.cloud.linets.cl/ubuntu/ +https://mirror.ufro.cl/ubuntu/ #LOC:CN http://ftp.sjtu.edu.cn/ubuntu/ +http://linux.xjtuns.cn/ubuntu/ http://mirror.lzu.edu.cn/ubuntu/ http://mirrors.aliyun.com/ubuntu/ http://mirrors.cn99.com/ubuntu/ @@ -102,9 +108,11 @@ http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ http://mirrors.ustc.edu.cn/ubuntu/ http://mirrors.yun-idc.com/ubuntu/ +https://mirror.bjtu.edu.cn/ubuntu/ +https://mirrors.bfsu.edu.cn/ubuntu/ +https://mirrors.hit.edu.cn/ubuntu/ #LOC:CO http://mirror.unimagdalena.edu.co/ubuntu/ -http://mirror.upb.edu.co/ubuntu/ #LOC:CR http://ubuntu.ucr.ac.cr/ubuntu/ #LOC:CY @@ -116,6 +124,7 @@ http://ftp.sh.cvut.cz/ubuntu/ http://mirror.dkm.cz/ubuntu/ http://ucho.ignum.cz/ubuntu/ +https://mirror.it4i.cz/ubuntu/ #LOC:DE ftp://ftp.fu-berlin.de/linux/ubuntu/ ftp://ftp.rrzn.uni-hannover.de/pub/mirror/linux/ubuntu @@ -134,11 +143,10 @@ http://ftp.uni-bayreuth.de/linux/ubuntu/ubuntu/ http://ftp.uni-kl.de/pub/linux/ubuntu/ http://ftp.uni-mainz.de/ubuntu/ -http://ftp.uni-stuttgart.de/ubuntu/ http://ftp5.gwdg.de/pub/linux/debian/ubuntu/ http://linux.darkpenguin.net/distros/ubuntu-archive/ http://mirror.23media.com/ubuntu/ -http://mirror.de.leaseweb.net/ubuntu/ +http://mirror.daniel-jost.net/ubuntu/ http://mirror.eu-fr.kamatera.com/ubuntu/ http://mirror.funkfreundelandshut.de/ubuntu/ http://mirror.ipb.de/ubuntu/ @@ -156,16 +164,18 @@ http://ubuntu.mirror.lrz.de/ubuntu/ http://ubuntu.mirror.tudos.de/ubuntu/ http://ubuntu.unitedcolo.de/ubuntu/ +https://de.mirrors.clouvider.net/ubuntu/ +https://files.tux-users.net/ubuntu/ +https://ftp.uni-stuttgart.de/ubuntu/ +https://mirror.de.leaseweb.net/ubuntu/ +https://mirror.dogado.de/ubuntu/ +https://mirror.scaleuptech.com/ubuntu/ #LOC:DK http://ftp.klid.dk/ftp/ubuntu/ -http://klid.dk/ftp/ubuntu/ -http://mirror.easyspeedy.com/ubuntu/ -http://mirror.iodc.dk/ubuntu/ -http://mirror.netcrunch.dk/ubuntu/ http://mirror.netsite.dk/ubuntu/archive/ http://mirror.one.com/ubuntu/ http://mirrors.dotsrc.org/ubuntu/ -http://ubuntu.mirror.iodc.dk/ubuntu/ +https://mirror.asergo.com/ubuntu/ #LOC:EC http://mirror.cedia.org.ec/ubuntu/ http://mirror.espol.edu.ec/ubuntu/ @@ -173,7 +183,7 @@ http://ftp.aso.ee/ubuntu/ http://ftp.estpak.ee/ubuntu/ #LOC:ES -ftp://ftp.csuc.cat/ubuntu/archieve/ +http://dafi.inf.um.es/ubuntu/ http://es-mirrors.evowise.com/ubuntu/ http://ftp.caliu.cat/pub/distribucions/ubuntu/archive/ http://ftp.udc.es/ubuntu/ @@ -182,43 +192,46 @@ http://ubuntu.cica.es/ubuntu/ http://ubuntu.grn.cat/ubuntu/ http://ubuntu.uc3m.es/ubuntu/ +https://ftp.csuc.cat/ubuntu/archieve/ #LOC:FI +http://mirror.hosthink.net/ubuntu/ http://mirrors.nic.funet.fi/ubuntu/ #LOC:FR http://distrib-coffee.ipsl.jussieu.fr/pub/linux/ubuntu/ -http://fr.archive.ubuntu.com/ubuntu/ http://ftp.oleane.net/ubuntu/ http://ftp.rezopole.net/ubuntu/ -http://ftp.u-picardie.fr/mirror/ubuntu/ubuntu/ http://miroir.univ-lorraine.fr/ubuntu/ http://mirror.plusserver.com/ubuntu/ubuntu/ -http://mirror.ubuntu.ikoula.com/ -http://mirror.ubuntu.ikoula.com/ubuntu/ http://mirrors.ircam.fr/pub/ubuntu/archive/ http://ubuntu.mirror.serverloft.de/ubuntu/ http://ubuntu.mirrors.ovh.net/ubuntu/ http://ubuntu.univ-nantes.fr/ubuntu/ http://ubuntu.univ-reims.fr/ubuntu/ http://www-ftp.lip6.fr/pub/linux/distributions/Ubuntu/archive/ +https://fr.archive.ubuntu.com/ubuntu/ +https://ftp.u-picardie.fr/mirror/ubuntu/ubuntu/ +https://mirror.ubuntu.ikoula.com/ #LOC:GB http://archive.ubuntu.com/ubuntu/ http://mirror.as29550.net/archive.ubuntu.com/ http://mirror.bytemark.co.uk/ubuntu/ +http://mirror.cov.ukservers.com/ubuntu/ http://mirror.eu-lo.kamatera.com/ubuntu/ http://mirror.freethought-internet.co.uk/ubuntu/ http://mirror.mythic-beasts.com/ubuntu/ http://mirror.ox.ac.uk/sites/archive.ubuntu.com/ubuntu/ -http://mirror.sax.uk.as61049.net/ubuntu/ http://mirror.sov.uk.goscomb.net/ubuntu/ http://mirror.vorboss.net/ubuntu-archive/ http://mirrors.coreix.net/ubuntu/ http://mirrors.melbourne.co.uk/ubuntu/ http://mirrors.ukfast.co.uk/sites/archive.ubuntu.com/ -http://mozart.ee.ic.ac.uk/ubuntu-archive/ http://ubuntu.mirrors.uk2.net/ubuntu/ http://ubuntu.positive-internet.com/ubuntu/ http://uk-mirrors.evowise.com/ubuntu/ +http://uk.mirror.worldbus.ge/ubuntu/ http://www.mirrorservice.org/sites/archive.ubuntu.com/ubuntu/ +https://mirrors.gethosted.online/ubuntu/ +https://uk.mirrors.clouvider.net/ubuntu/ #LOC:GE http://ubuntu.grena.ge/ubuntu/ #LOC:GL @@ -231,16 +244,20 @@ http://ftp.cuhk.edu.hk/pub/Linux/ubuntu/ http://hk.mirrors.thegigabit.com/ubuntu/ http://mirror-hk.koddos.net/ubuntu/ +http://mirror.as.kamatera.com/ubuntu/ http://mirror.xtom.com.hk/ubuntu/ +http://www.ubuntu.org.tw/ #LOC:HR -http://hr.archive.ubuntu.com/ubuntu/ +http://ubuntu.grad.hr/ubuntu/ +https://hr.mirror.kumi.systems/ubuntu/ #LOC:HU http://ftp.fsn.hu/ubuntu/ -http://mirror.niif.hu/ubuntu/ http://mirrors.sth.sze.hu/ubuntu/ -http://quantum-mirror.hu/mirrors/pub/ubuntu/ http://repo.jztkft.hu/ubuntu/ +https://mirror.niif.hu/ubuntu/ +https://quantum-mirror.hu/mirrors/pub/ubuntu/ #LOC:ID +http://buaya.klas.or.id/ubuntu/ http://kambing.ui.ac.id/ubuntu/ http://kartolo.sby.datautama.net.id/ubuntu/ http://kebo.pens.ac.id/ubuntu/ @@ -251,8 +268,13 @@ http://mirror.poliwangi.ac.id/ubuntu/ http://mirror.telkomuniversity.ac.id/ubuntu/ http://mirror.unej.ac.id/ubuntu/ -http://repo.unpatti.ac.id/ubuntu/ http://suro.ubaya.ac.id/ubuntu/ +https://mirror.gi.co.id/ubuntu/ +https://mirror.papua.go.id/ubuntu/ +https://pinguin.dinus.ac.id/iso/ubuntu/repo/ +https://repo.dinamika.ac.id/ubuntu/ +#LOC:IE +http://ftp.heanet.ie/pub/ubuntu/ #LOC:IL http://mirror.il-jr.kamatera.com/ubuntu/ http://mirror.il-pt.kamatera.com/ubuntu/ @@ -270,44 +292,46 @@ http://ubuntu.mirror.snu.edu.in/ubuntu/ #LOC:IR http://archive.ubuntu.petiak.ir/ubuntu/ -http://mirror.0-1.cloud/ubuntu/ +http://ir.ubuntu.sindad.cloud/ubuntu/ http://mirror.aminidc.com/ubuntu/ http://mirror.armaghan.net/ubuntu/ http://mirror.rasanegar.com/ubuntu/archive/ -http://mirror.xaas.ir/ubuntu/ http://repo.iut.ac.ir/repo/Ubuntu/ -http://ubuntu-mirror.parsdev.net/ubuntu-archive/ -http://ubuntu.hostiran.ir/ubuntuarchive/ -http://ubuntu.parspack.net/ubuntu/ +https://mirror.iranserver.com/ubuntu/ +https://ubuntu.shatel.ir/ubuntu/ #LOC:IS http://speglar.simnet.is/ubuntu/ http://ubuntu.hysing.is/ubuntu/ #LOC:IT http://giano.com.dist.unige.it/ubuntu/ http://it-mirrors.evowise.com/ubuntu/ -http://mirror.crazynetwork.it/ubuntu/archive/ http://ubuntu.connesi.it/ubuntu/ http://ubuntu.mirror.garr.it/ubuntu/ #LOC:JP http://ftp.jaist.ac.jp/pub/Linux/ubuntu/ http://ftp.riken.jp/Linux/ubuntu/ http://ftp.tsukuba.wide.ad.jp/Linux/ubuntu/ -http://linux.yz.yamagata-u.ac.jp/ubuntu/ http://mirror.fairway.ne.jp/ubuntu/ http://ubuntu-ashisuto.ubuntulinux.jp/ubuntu/ http://ubuntutym.u-toyama.ac.jp/ubuntu/ http://www.ftp.ne.jp/Linux/packages/ubuntu/archive/ +https://linux.yz.yamagata-u.ac.jp/ubuntu/ #LOC:KE http://ubuntu.mirror.ac.ke/ubuntu/ +#LOC:KH +http://mirror.telcotech.com.kh/Linux/ubuntu-releases/ #LOC:KR http://ftp.daum.net/ubuntu/ -http://ftp.harukasan.org/ubuntu/ http://ftp.lanet.kr/ubuntu/ -http://ftp.neowiz.com/ubuntu/ +http://mirror.anigil.com/ubuntu/ http://mirror.kakao.com/ubuntu/ -http://mirror.yongbok.net/ubuntu/ -#LOC:KW -http://ubuntu.archive.kw.zain.com/ +https://ftp.harukasan.org/ubuntu-ports/ +https://ftp.harukasan.org/ubuntu/ +https://mirror.misakamikoto.network/ubuntu-ports/ +https://mirror.misakamikoto.network/ubuntu/ +https://mirror.yongbok.net/ubuntu/ +https://twitchdarkbot.com/ubuntu-ports/ +https://twitchdarkbot.com/ubuntu/ #LOC:KZ http://mirror.hoster.kz/ubuntu/ http://mirror.neolabs.kz/ubuntu/ @@ -320,12 +344,12 @@ #LOC:LU http://ubuntu.mirror.root.lu/ubuntu/ #LOC:LV -http://ubuntu-arch.linux.edu.lv/ubuntu/ http://ubuntu.koyanet.lv/ubuntu/ #LOC:MA http://mirror.marwan.ma/ubuntu/ #LOC:MD http://mirror.as43289.net/ubuntu/ +http://mirror.ihost.md/ubuntu/ http://mirrors.mivocloud.com/ubuntu/ #LOC:MG http://ubuntu.dts.mg/ubuntu/ @@ -336,13 +360,16 @@ http://mirror.datacenter.mn/ubuntu/ #LOC:MY http://my.mirrors.thegigabit.com/ubuntu/ -http://ubuntu.ipserverone.com/ubuntu/ http://ubuntu.mirror.myduniahost.com/ubuntu/ http://ubuntu.tuxuri.com/ubuntu/ +https://ubuntu.ipserverone.com/ubuntu/ #LOC:NA http://download.nust.na/pub/ubuntu/ubuntu/ #LOC:NC http://archive.ubuntu.nautile.nc/ubuntu/ +http://ubuntu.lagoon.nc/ubuntu/ +#LOC:NG +http://mirror.ng/ubuntu-archive/ #LOC:NL ftp://ftpserv.tudelft.nl/pub/Linux/archive.ubuntu.com/ http://ftp.nluug.nl/os/Linux/distr/ubuntu/ @@ -353,10 +380,8 @@ http://mirror.dataone.nl/ubuntu-archive/ http://mirror.eu.kamatera.com/ubuntu/ http://mirror.hostnet.nl/ubuntu/archive/ -http://mirror.i3d.net/pub/ubuntu/ http://mirror.nforce.com/pub/linux/ubuntu/ http://mirror.nl.datapacket.com/ubuntu/ -http://mirror.nl.leaseweb.net/ubuntu/ http://mirror.previder.nl/ubuntu/ http://mirror.serverion.com/ubuntu/ http://mirror.serverius.net/ubuntu/ @@ -368,19 +393,20 @@ http://osmirror.rug.nl/ubuntu/ http://ubuntu.mirror.cambrium.nl/ubuntu/ http://ubuntu.mirror.true.nl/ubuntu/ +https://mirror.nl.leaseweb.net/ubuntu/ +https://nl.mirrors.clouvider.net/ubuntu/ #LOC:NO http://ftp.uninett.no/ubuntu/ http://no.archive.ubuntu.com/ubuntu/ http://no.mirrors.blix.com/ubuntu/ http://ubuntu.uib.no/archive/ #LOC:NP +http://ntc.net.np/ubuntu/ http://ubuntu.ntc.net.np/ubuntu/ #LOC:NZ http://mirror.fsmg.org.nz/ubuntu/ http://ubuntu.mirrors.theom.nz/ http://ucmirror.canterbury.ac.nz/ubuntu/ -#LOC:PF -http://pf.archive.ubuntu.com/ubuntu/ #LOC:PH http://mirror.pregi.net/ubuntu/ http://mirror.rise.ph/ubuntu/ @@ -393,33 +419,41 @@ http://ftp.agh.edu.pl/ubuntu/ http://ftp.icm.edu.pl/pub/Linux/ubuntu/ http://ftp.vectranet.pl/ubuntu/ -http://mirror.onet.pl/pub/mirrors/ubuntu/ +http://mirror.chmuri.net/ubuntu/ http://piotrkosoft.net/pub/mirrors/ubuntu/ http://ubuntu.man.lodz.pl/ubuntu/ http://ubuntu.task.gda.pl/ubuntu/ +https://ftp.ps.pl/pub/Linux/ubuntu/archive/ #LOC:PR http://mirrors.upr.edu/ubuntu/ #LOC:PT +http://archive.ubuntumirror.dei.uc.pt/ubuntu/ +http://cesium.di.uminho.pt/pub/ubuntu-archive/ http://ftp.rnl.tecnico.ulisboa.pt/pub/ubuntu/archive/ http://glua.ua.pt/pub/ubuntu/ http://mirrors.up.pt/ubuntu/ +https://mirrors.ptisp.pt/ubuntu/ #LOC:RO -http://ftp.upcnet.ro/mirrors/ubuntu.com/ubuntu/ +http://mirror.efect.ro/ubuntu/archive/ http://mirrors.nav.ro/ubuntu/ http://mirrors.nxthost.com/ubuntu/ http://mirrors.pidginhost.com/ubuntu/ http://mirrors.xservers.ro/ubuntu/ http://ro-mirrors.evowise.com/ubuntu/ http://ubuntu.mirrors.linux.ro/archive/ +https://mirrors.chroot.ro/ubuntu/ #LOC:RS http://ubuntu.mirror.ftn.uns.ac.rs/archive/ +https://rs.mirror.kumi.systems/ubuntu/ #LOC:RU http://mirror.corbina.net/ubuntu/ http://mirror.docker.ru/ubuntu/ +http://mirror.logol.ru/ubuntu/ http://mirror.timeweb.ru/ubuntu/ -http://mirror.truenetwork.ru/ubuntu/ http://mirror.yandex.ru/ubuntu/ http://mirrors.powernet.com.ru/ubuntu/ +https://mirror.linux-ia64.org/ubuntu/ +https://mirror.truenetwork.ru/ubuntu/ #LOC:SA http://mirrors.isu.net.sa/pub/ubuntu-releases/ #LOC:SE @@ -428,54 +462,58 @@ http://mirror.linux.pizza/ubuntu/ http://mirror.operationtulip.com/ubuntu/ http://mirror.zetup.net/ubuntu/ +http://mirrors.c0urier.net/linux/ubuntu/ http://ubuntu.mirror.su.se/ubuntu/ +https://ftpmirror1.infania.net/ubuntu/ +https://mirror.duvaliden.com/ubuntu/ #LOC:SG http://download.nus.edu.sg/mirror/ubuntu/ http://mirror.0x.sg/ubuntu/ http://mirror.aktkn.sg/ubuntu/ #LOC:SI http://ftp.arnes.si/pub/mirrors/ubuntu/ +https://si.mirror.kumi.systems/ubuntu/ #LOC:SK http://ftp.energotel.sk/pub/linux/ubuntu/ http://mirror.vnet.sk/ubuntu/ http://tux.rainside.sk/ubuntu/ #LOC:TH -http://mirror.kku.ac.th/ubuntu/ -http://mirror.thaidns.co.th/ubuntu/ http://mirror1.ku.ac.th/ubuntu/ http://mirror1.totbb.net/ubuntu/ http://mirrors.bangmod.cloud/ubuntu/ +http://mirrors.nipa.cloud/ubuntu/ http://mirrors.psu.ac.th/ubuntu/ -#LOC:TN -http://ubuntu.mirror.tn/ubuntu/ +https://mirror.kku.ac.th/ubuntu/ #LOC:TR http://ftp.linux.org.tr/ubuntu/ -http://kozyatagi.mirror.guzel.net.tr/ubuntu/ -http://mirror.idealhosting.net.tr/ubuntu/ http://mirror.muvhost.com/ubuntu/ http://mirror.ni.net.tr/ubuntu/ http://ubuntu.saglayici.com/ubuntu/ http://ubuntu.turhost.com/ubuntu/ http://ubuntu.vargonen.com/ubuntu/ +https://mirror.provider.com.tr/ubuntu/ +https://mirror.sh.com.tr/ubuntu/ #LOC:TW http://free.nchc.org.tw/ubuntu/ +http://ftp.mirror.tw/pub/ubuntu/ubuntu/ http://ftp.ntou.edu.tw/ubuntu/ http://ftp.tku.edu.tw/ubuntu/ +http://ftp.twaren.net/Linux/Ubuntu/ubuntu/ http://ftp.ubuntu-tw.net/ubuntu/ -http://ftp.yzu.edu.tw/ubuntu/ http://mirror.nwlab.tk/ubuntu/ http://mirror01.idc.hinet.net/ubuntu/ http://ubuntu.cs.nctu.edu.tw/ubuntu/ +http://ubuntu.stu.edu.tw/ubuntu/ #LOC:TZ http://deb-mirror.habari.co.tz/ubuntu/ http://mirror.aptus.co.tz/pub/ubuntuarchive/ #LOC:UA http://mirror.mirohost.net/ubuntu/ http://ubuntu.colocall.net/ubuntu/ -http://ubuntu.ip-connect.vn.ua/ http://ubuntu.mirrors.omnilance.com/ubuntu/ http://ubuntu.netforce.hosting/ubuntu/ http://ubuntu.volia.net/ubuntu-archive/ +https://ubuntu.ip-connect.vn.ua/ #LOC:UG http://mirror.renu.ac.ug/ubuntu/ #LOC:US @@ -486,7 +524,7 @@ http://lug.mtu.edu/ubuntu/ http://mirror.ancl.hawaii.edu/linux/ubuntu/ http://mirror.arizona.edu/ubuntu/ -http://mirror.atlantic.net/ubuntu/ +http://mirror.brightridge.com/ubuntuarchive/ http://mirror.cc.columbia.edu/pub/linux/ubuntu/archive/ http://mirror.cc.vt.edu/pub2/ubuntu/ http://mirror.clarkson.edu/ubuntu/ @@ -503,7 +541,6 @@ http://mirror.metrocast.net/ubuntu/ http://mirror.mrjester.net/ubuntu/archive/ http://mirror.nodesdirect.com/ubuntu/ -http://mirror.os6.org/ubuntu/ http://mirror.pit.teraswitch.com/ubuntu/ http://mirror.pnl.gov/ubuntu/ http://mirror.siena.edu/ubuntu/ @@ -511,7 +548,6 @@ http://mirror.steadfastnet.com/ubuntu/ http://mirror.team-cymru.com/ubuntu/ http://mirror.team-cymru.org/ubuntu/ -http://mirror.tocici.com/ubuntu/ http://mirror.ubuntu.serverforge.org/ http://mirror.umd.edu/ubuntu/ http://mirror.uoregon.edu/ubuntu/ @@ -519,14 +555,12 @@ http://mirror.us-ny2.kamatera.com/ubuntu/ http://mirror.us-sc.kamatera.com/ubuntu/ http://mirror.us-tx.kamatera.com/ubuntu/ -http://mirror.us.leaseweb.net/ubuntu/ http://mirror.vcu.edu/pub/gnu+linux/ubuntu/ http://mirrors.accretive-networks.net/ubuntu/ http://mirrors.advancedhosters.com/ubuntu/ http://mirrors.arpnetworks.com/Ubuntu/ -http://mirrors.bloomu.edu/ubuntu/ http://mirrors.cat.pdx.edu/ubuntu/ -http://mirrors.codec-cluster.org/ubuntu/ +http://mirrors.easynews.com/linux/ubuntu/ http://mirrors.gigenet.com/ubuntuarchive/ http://mirrors.liquidweb.com/ubuntu/ http://mirrors.lug.mtu.edu/ubuntu/ @@ -545,15 +579,16 @@ http://mirrors.xmission.com/ubuntu/ http://mirrors.xtom.com/ubuntu/ http://ny-mirrors.evowise.com/ubuntu/ +http://plug-mirror.rcac.purdue.edu/ubuntu/ http://pubmirrors.dal.corespace.com/ubuntu/ http://reflector.westga.edu/repos/Ubuntu/archive/ http://repo.ialab.dsu.edu/ubuntu/ http://repo.miserver.it.umich.edu/ubuntu/ http://repos.forethought.net/ubuntu/ -http://ubuntu-mirror.netzyp.com/ubuntu/ http://ubuntu.cs.utah.edu/ubuntu/ http://ubuntu.mirror.constant.com/ http://ubuntu.mirror.frontiernet.net/ubuntu/ +http://ubuntu.mirror.vio.sh/ubuntu/ http://ubuntu.mirrors.pair.com/archive/ http://ubuntu.mirrors.tds.net/pub/ubuntu/ http://ubuntu.osuosl.org/ubuntu/ @@ -561,18 +596,29 @@ http://us.mirror.nsec.pt/ubuntu/ http://www.club.cc.cmu.edu/pub/ubuntu/ http://www.gtlib.gatech.edu/pub/ubuntu/ +https://archive.ubuntu.thomas-ward-consulting.llc/ubuntu/ +https://atl.mirrors.clouvider.net/ubuntu/ +https://la.mirrors.clouvider.net/ubuntu/ +https://mirror.os6.org/ubuntu/ +https://mirror.us.leaseweb.net/ubuntu/ +https://mirrors.bloomu.edu/ubuntu/ +https://nyc.mirrors.clouvider.net/ubuntu/ #LOC:UY http://repos.interior.edu.uy/ubuntu/ http://ubuntu.repo.cure.edu.uy/mirror/ #LOC:UZ http://ubuntu.snet.uz/ubuntu/ #LOC:VN +http://mirror.bizflycloud.vn/ubuntu/ http://mirror.clearsky.vn/ubuntu/ http://mirror.ehost.vn/ubuntu/ http://mirrors.nhanhoa.com/ubuntu/ http://mirrors.vhost.vn/ubuntu/ http://opensource.xtdv.net/ubuntu/ +https://mirrors.bkns.vn/ubuntu/ #LOC:ZA http://ftp.leg.uct.ac.za/ubuntu/ http://mirror.lnx-solutions.com/ubuntu/ http://mirror.wiru.co.za/ubuntu/ +http://ubuntu.mirror.rain.co.za/ubuntu/ +https://ubuntu.mirror.ac.za/ diff -Nru python-apt-1.8.4.1/debian/changelog python-apt-1.8.4.2/debian/changelog --- python-apt-1.8.4.1/debian/changelog 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/debian/changelog 2020-12-01 19:18:12.000000000 +0000 @@ -1,3 +1,18 @@ +python-apt (1.8.4.2) buster-security; urgency=high + + * SECURITY UPDATE: various memory and file descriptor leaks (LP: #1899193) + - python/arfile.cc, python/generic.h, python/tag.cc, python/tarfile.cc: + fix file descriptor and memory leaks + - python/apt_instmodule.cc, python/apt_instmodule.h, python/arfile.h: + Avoid reference cycle with control,data members in apt_inst.DebFile + objects + - tests/test_cve_2020_27351.py: Test cases for DebFile (others not easily + testable) + - CVE-2020-27351 + * data/templates: Update mirror lists + + -- Julian Andres Klode Tue, 01 Dec 2020 20:18:12 +0100 + python-apt (1.8.4.1) buster-security; urgency=high * SECURITY UPDATE: Check that repository is trusted before downloading diff -Nru python-apt-1.8.4.1/python/apt_instmodule.cc python-apt-1.8.4.2/python/apt_instmodule.cc --- python-apt-1.8.4.1/python/apt_instmodule.cc 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/python/apt_instmodule.cc 2020-12-01 19:18:12.000000000 +0000 @@ -77,5 +77,6 @@ ADDTYPE(module,"DebFile",&PyDebFile_Type); ADDTYPE(module,"TarFile",&PyTarFile_Type); ADDTYPE(module,"TarMember",&PyTarMember_Type); + ADDTYPE(module,"__FileFd",&PyFileFd_Type); RETURN(module); } diff -Nru python-apt-1.8.4.1/python/apt_instmodule.h python-apt-1.8.4.2/python/apt_instmodule.h --- python-apt-1.8.4.1/python/apt_instmodule.h 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/python/apt_instmodule.h 2020-12-01 19:18:12.000000000 +0000 @@ -20,7 +20,7 @@ extern PyTypeObject PyDebFile_Type; extern PyTypeObject PyTarFile_Type; extern PyTypeObject PyTarMember_Type; - +extern PyTypeObject PyFileFd_Type; struct PyTarFileObject : public CppPyObject { int min; FileFd Fd; diff -Nru python-apt-1.8.4.1/python/arfile.cc python-apt-1.8.4.2/python/arfile.cc --- python-apt-1.8.4.1/python/arfile.cc 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/python/arfile.cc 2020-12-01 19:18:12.000000000 +0000 @@ -128,6 +128,35 @@ armember_getset, // tp_getset }; + +static const char *filefd_doc= + "Internal helper type, representing a FileFd."; +PyTypeObject PyFileFd_Type = { + PyVarObject_HEAD_INIT(&PyType_Type, 0) + "apt_inst.__FileFd" , // tp_name + sizeof(CppPyObject), // tp_basicsize + 0, // tp_itemsize + // Methods + CppDealloc, // tp_dealloc + 0, // tp_print + 0, // tp_getattr + 0, // tp_setattr + 0, // tp_compare + 0, // tp_repr + 0, // tp_as_number + 0, // tp_as_sequence + 0, // tp_as_mapping + 0, // tp_hash + 0, // tp_call + 0, // tp_str + 0, // tp_getattro + 0, // tp_setattro + 0, // tp_as_buffer + Py_TPFLAGS_DEFAULT, // tp_flags + filefd_doc, // tp_doc +}; + + // We just add an inline method and should thus be ABI compatible in a way that // we can simply cast ARArchive instances to PyARArchiveHack. class PyARArchiveHack : public ARArchive @@ -139,7 +168,7 @@ }; struct PyArArchiveObject : public CppPyObject { - FileFd Fd; + CppPyObject *Fd; }; static const char *ararchive_getmember_doc = @@ -185,7 +214,7 @@ "Member '%s' is too large to read into memory",name.path); return 0; } - if (!self->Fd.Seek(member->Start)) + if (!self->Fd->Object.Seek(member->Start)) return HandleErrors(); char* value; @@ -196,7 +225,7 @@ "Member '%s' is too large to read into memory",name.path); return 0; } - self->Fd.Read(value, member->Size, true); + self->Fd->Object.Read(value, member->Size, true); PyObject *result = PyBytes_FromStringAndSize(value, member->Size); delete[] value; return result; @@ -274,7 +303,7 @@ PyErr_Format(PyExc_LookupError,"No member named '%s'",name.path); return 0; } - return _extract(self->Fd, member, target); + return _extract(self->Fd->Object, member, target); } static const char *ararchive_extractall_doc = @@ -293,7 +322,7 @@ const ARArchive::Member *member = self->Object->Members(); do { - if (_extract(self->Fd, member, target) == 0) + if (_extract(self->Fd->Object, member, target) == 0) return 0; } while ((member = member->Next)); Py_RETURN_TRUE; @@ -320,10 +349,10 @@ return 0; } - PyTarFileObject *tarfile = (PyTarFileObject*)CppPyObject_NEW(self,&PyTarFile_Type); - new (&tarfile->Fd) FileFd(self->Fd.Fd()); + PyTarFileObject *tarfile = (PyTarFileObject*)CppPyObject_NEW(self->Fd,&PyTarFile_Type); + new (&tarfile->Fd) FileFd(self->Fd->Object.Fd()); tarfile->min = member->Start; - tarfile->Object = new ExtractTar(self->Fd, member->Size, comp); + tarfile->Object = new ExtractTar(self->Fd->Object, member->Size, comp); return HandleErrors(tarfile); } @@ -390,36 +419,38 @@ PyObject *kwds) { PyObject *file; - PyArArchiveObject *self; PyApt_Filename filename; int fileno; if (PyArg_ParseTuple(args,"O:__new__",&file) == 0) return 0; + PyApt_UniqueObject self(NULL); // We receive a filename. if (filename.init(file)) { - self = (PyArArchiveObject *)CppPyObject_NEW(0,type); - new (&self->Fd) FileFd(filename,FileFd::ReadOnly); + self.reset((PyArArchiveObject*) CppPyObject_NEW(0,type)); + self->Fd = CppPyObject_NEW(NULL, &PyFileFd_Type); + new (&self->Fd->Object) FileFd(filename,FileFd::ReadOnly); } // We receive a file object. else if ((fileno = PyObject_AsFileDescriptor(file)) != -1) { // Clear the error set by PyObject_AsString(). PyErr_Clear(); - self = (PyArArchiveObject *)CppPyObject_NEW(file,type); - new (&self->Fd) FileFd(fileno,false); + self->Fd = CppPyObject_NEW(NULL, &PyFileFd_Type); + self.reset((PyArArchiveObject*) CppPyObject_NEW(file,type)); + new (&self->Fd->Object) FileFd(fileno,false); } else { return 0; } - self->Object = (PyARArchiveHack*)new ARArchive(self->Fd); + self->Object = (PyARArchiveHack*)new ARArchive(self->Fd->Object); if (_error->PendingError() == true) return HandleErrors(); - return self; + return self.release(); } static void ararchive_dealloc(PyObject *self) { - ((PyArArchiveObject *)(self))->Fd.~FileFd(); + Py_CLEAR(((PyArArchiveObject *)(self))->Fd); CppDeallocPtr(self); } @@ -529,10 +560,10 @@ { if (!m) return 0; - PyTarFileObject *tarfile = (PyTarFileObject*)CppPyObject_NEW(self,&PyTarFile_Type); - new (&tarfile->Fd) FileFd(self->Fd.Fd()); + PyTarFileObject *tarfile = (PyTarFileObject*)CppPyObject_NEW(self->Fd,&PyTarFile_Type); + new (&tarfile->Fd) FileFd(self->Fd->Object.Fd()); tarfile->min = m->Start; - tarfile->Object = new ExtractTar(self->Fd, m->Size, comp); + tarfile->Object = new ExtractTar(self->Fd->Object, m->Size, comp); return tarfile; } @@ -579,16 +610,16 @@ static PyObject *debfile_new(PyTypeObject *type, PyObject *args, PyObject *kwds) { - PyDebFileObject *self = (PyDebFileObject*)ararchive_new(type, args, kwds); + PyApt_UniqueObject self((PyDebFileObject*)ararchive_new(type, args, kwds)); if (self == NULL) return NULL; // DebFile - self->control = debfile_get_tar(self, "control.tar"); + self->control = debfile_get_tar(self.get(), "control.tar"); if (self->control == NULL) return NULL; - self->data = debfile_get_tar(self, "data.tar"); + self->data = debfile_get_tar(self.get(), "data.tar"); if (self->data == NULL) return NULL; @@ -597,14 +628,14 @@ return PyErr_Format(PyAptError, "No debian archive, missing %s", "debian-binary"); - if (!self->Fd.Seek(member->Start)) + if (!self->Fd->Object.Seek(member->Start)) return HandleErrors(); char* value = new char[member->Size]; - self->Fd.Read(value, member->Size, true); + self->Fd->Object.Read(value, member->Size, true); self->debian_binary = PyBytes_FromStringAndSize(value, member->Size); delete[] value; - return self; + return self.release(); } static int debfile_traverse(PyObject *_self, visitproc visit, void* arg) diff -Nru python-apt-1.8.4.1/python/generic.h python-apt-1.8.4.2/python/generic.h --- python-apt-1.8.4.1/python/generic.h 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/python/generic.h 2020-12-01 19:18:12.000000000 +0000 @@ -302,4 +302,23 @@ } }; + +/** + * Basic smart pointer to hold initial objects. + * + * This is like a std::unique_ptr to some extend, + * but it is for initialization only, and hence will also clear out any members + * in case it deletes the instance (the error case). + */ +template struct PyApt_UniqueObject { + T *self; + explicit PyApt_UniqueObject(T *self) : self(self) { } + ~PyApt_UniqueObject() { reset(NULL); } + void reset(T *newself) { if (clear && self && Py_TYPE(self)->tp_clear) Py_TYPE(self)->tp_clear(self); Py_XDECREF(self); self = newself; } + PyApt_UniqueObject operator =(PyApt_UniqueObject) = delete; + bool operator ==(void *other) { return self == other; } + T *operator ->() { return self; } + T *get() { return self; } + T *release() { T *ret = self; self = NULL; return ret; } +}; #endif diff -Nru python-apt-1.8.4.1/python/tag.cc python-apt-1.8.4.2/python/tag.cc --- python-apt-1.8.4.1/python/tag.cc 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/python/tag.cc 2020-12-01 19:18:12.000000000 +0000 @@ -494,7 +494,6 @@ static PyObject *TagFileNew(PyTypeObject *type,PyObject *Args,PyObject *kwds) { - TagFileData *New; PyObject *File = 0; char Bytes = 0; @@ -518,7 +517,7 @@ return 0; } - New = (TagFileData*)type->tp_alloc(type, 0); + PyApt_UniqueObject New((TagFileData*)type->tp_alloc(type, 0)); if (fileno != -1) { #ifdef APT_HAS_GZIP @@ -556,7 +555,7 @@ // Create the section New->Section = (TagSecData*)(&PyTagSection_Type)->tp_alloc(&PyTagSection_Type, 0); new (&New->Section->Object) pkgTagSection(); - New->Section->Owner = New; + New->Section->Owner = New.get(); Py_INCREF(New->Section->Owner); New->Section->Data = 0; New->Section->Bytes = Bytes; @@ -565,7 +564,7 @@ Py_XINCREF(New->Section->Encoding); #endif - return HandleErrors(New); + return HandleErrors(New.release()); } /*}}}*/ // RewriteSection - Rewrite a section.. /*{{{*/ diff -Nru python-apt-1.8.4.1/python/tarfile.cc python-apt-1.8.4.2/python/tarfile.cc --- python-apt-1.8.4.1/python/tarfile.cc 2020-01-23 10:10:21.000000000 +0000 +++ python-apt-1.8.4.2/python/tarfile.cc 2020-12-01 19:18:12.000000000 +0000 @@ -341,7 +341,6 @@ static PyObject *tarfile_new(PyTypeObject *type,PyObject *args,PyObject *kwds) { PyObject *file; - PyTarFileObject *self; PyApt_Filename filename; int fileno; int min = 0; @@ -353,7 +352,7 @@ &max,&comp) == 0) return 0; - self = (PyTarFileObject*)CppPyObject_NEW(file,type); + PyApt_UniqueObject self((PyTarFileObject*)CppPyObject_NEW(file,type)); // We receive a filename. if (filename.init(file)) @@ -364,15 +363,14 @@ new (&self->Fd) FileFd(fileno,false); } else { - Py_DECREF(self); return 0; } self->min = min; self->Object = new ExtractTar(self->Fd,max,comp); if (_error->PendingError() == true) - return HandleErrors(self); - return self; + return HandleErrors(self.release()); + return self.release(); } static const char *tarfile_extractall_doc = diff -Nru python-apt-1.8.4.1/tests/test_cve_2020_27351.py python-apt-1.8.4.2/tests/test_cve_2020_27351.py --- python-apt-1.8.4.1/tests/test_cve_2020_27351.py 1970-01-01 00:00:00.000000000 +0000 +++ python-apt-1.8.4.2/tests/test_cve_2020_27351.py 2020-12-01 19:18:12.000000000 +0000 @@ -0,0 +1,106 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright (C) 2020 Canonical Ltd +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. +"""Unit tests for verifying the correctness of DebFile descriptor handling.""" +import os +import unittest + +from test_all import get_library_dir +import sys + +libdir = get_library_dir() +if libdir: + sys.path.insert(0, libdir) +import apt_inst +import subprocess +import tempfile + + +@unittest.skipIf( + not os.path.exists("/proc/self/fd"), "no /proc/self/fd available" +) +class TestCVE_2020_27351(unittest.TestCase): + """ test the debfile """ + + GOOD_DEB = "data/test_debs/utf8-package_1.0-1_all.deb" + + def test_success(self): + """opening package successfully should not leak fd""" + before = os.listdir("/proc/self/fd") + apt_inst.DebFile(self.GOOD_DEB) + after = os.listdir("/proc/self/fd") + self.assertEqual(before, after) + + def test_success_a_member(self): + """fd should be kept around as long as a tarfile member""" + before = os.listdir("/proc/self/fd") + data = apt_inst.DebFile(self.GOOD_DEB).data + after = os.listdir("/proc/self/fd") + self.assertEqual(len(before), len(after) - 1) + del data + after = os.listdir("/proc/self/fd") + self.assertEqual(before, after) + + def _create_deb_without(self, member): + temp = tempfile.NamedTemporaryFile(mode="wb") + try: + with open(self.GOOD_DEB, "rb") as deb: + temp.write(deb.read()) + temp.flush() + subprocess.check_call(["ar", "d", temp.name, member]) + return temp + except Exception as e: + temp.close() + raise e + + def test_nocontrol(self): + """opening package without control.tar.gz should not leak fd""" + before = os.listdir("/proc/self/fd") + with self._create_deb_without("control.tar.gz") as temp: + try: + apt_inst.DebFile(temp.name) + except SystemError as e: + self.assertIn("control.tar", str(e)) + else: + self.fail("Did not raise an exception") + + after = os.listdir("/proc/self/fd") + self.assertEqual(before, after) + + def test_nodata(self): + """opening package without data.tar.gz should not leak fd""" + before = os.listdir("/proc/self/fd") + with self._create_deb_without("data.tar.gz") as temp: + try: + apt_inst.DebFile(temp.name) + except SystemError as e: + self.assertIn("data.tar", str(e)) + else: + self.fail("Did not raise an exception") + + after = os.listdir("/proc/self/fd") + self.assertEqual(before, after) + + def test_no_debian_binary(self): + """opening package without debian-binary should not leak fd""" + before = os.listdir("/proc/self/fd") + with self._create_deb_without("debian-binary") as temp: + try: + apt_inst.DebFile(temp.name) + except SystemError as e: + self.assertIn("missing debian-binary", str(e)) + else: + self.fail("Did not raise an exception") + + after = os.listdir("/proc/self/fd") + self.assertEqual(before, after) + + +if __name__ == "__main__": + # logging.basicConfig(level=logging.DEBUG) + unittest.main()