Author: mlandres Date: Fri Jul 4 17:42:38 2008 New Revision: 10497 URL: http://svn.opensuse.org/viewcvs/zypp?rev=10497&view=rev Log: Also check if the fingerprint matches before importing updated keys. (bnc #393160) Modified: branches/SuSE-Linux-11_0-Branch/libzypp/VERSION.cmake branches/SuSE-Linux-11_0-Branch/libzypp/package/libzypp.changes branches/SuSE-Linux-11_0-Branch/libzypp/zypp/KeyRing.cc Modified: branches/SuSE-Linux-11_0-Branch/libzypp/VERSION.cmake URL: http://svn.opensuse.org/viewcvs/zypp/branches/SuSE-Linux-11_0-Branch/libzypp/VERSION.cmake?rev=10497&r1=10496&r2=10497&view=diff ============================================================================== --- branches/SuSE-Linux-11_0-Branch/libzypp/VERSION.cmake (original) +++ branches/SuSE-Linux-11_0-Branch/libzypp/VERSION.cmake Fri Jul 4 17:42:38 2008 @@ -47,4 +47,4 @@ SET(LIBZYPP_MAJOR "4") SET(LIBZYPP_MINOR "26") SET(LIBZYPP_COMPATMINOR "24") -SET(LIBZYPP_PATCH "6") +SET(LIBZYPP_PATCH "7") Modified: branches/SuSE-Linux-11_0-Branch/libzypp/package/libzypp.changes URL: http://svn.opensuse.org/viewcvs/zypp/branches/SuSE-Linux-11_0-Branch/libzypp/package/libzypp.changes?rev=10497&r1=10496&r2=10497&view=diff ============================================================================== --- branches/SuSE-Linux-11_0-Branch/libzypp/package/libzypp.changes (original) +++ branches/SuSE-Linux-11_0-Branch/libzypp/package/libzypp.changes Fri Jul 4 17:42:38 2008 @@ -1,7 +1,15 @@ ------------------------------------------------------------------- +Fri Jul 4 17:19:24 CEST 2008 - ma@suse.de + +- Also check if the fingerprint matches before importing updated keys. + (bnc #393160) +- version 4.26.7 +- revision 10497 + +------------------------------------------------------------------- Fri Jun 27 16:16:50 CEST 2008 - ma@suse.de -- Invoke gpg with --homdir, otherwise command fails if executed +- Invoke gpg with --homdir, otherwise command fails if executed within a wrapper. (bnc #401259) - version 4.26.6 - revision 10480 @@ -9,7 +17,7 @@ ------------------------------------------------------------------- Fri Jun 20 15:31:57 CEST 2008 - ma@suse.de -- Fix permanent duplication of gpg keys in the rpm database. Also +- Fix permanent duplication of gpg keys in the rpm database. Also retrieve correct creation and expire dates. (bnc #401259) - version 4.26.5 - revision 10432 @@ -18,14 +26,14 @@ Thu Jun 19 17:46:04 CEST 2008 - ma@suse.de - Handle new patch messages and scripts in commit. Provide callbacks - to display the patch messages and give visual feedback on script + to display the patch messages and give visual feedback on script execution. (bnc #401220) - revision 10410 ------------------------------------------------------------------- Tue Jun 10 15:55:31 CEST 2008 - ma@suse.de -- Allow to abort commit during package deletion. (bnc #389238) +- Allow to abort commit during package deletion. (bnc #389238) - revision 10367 ------------------------------------------------------------------- @@ -53,7 +61,7 @@ ------------------------------------------------------------------- Wed Jun 4 13:50:13 CEST 2008 - ma@suse.de -- Fix memory corruption in curl media handler (bnc #396979) +- Fix memory corruption in curl media handler (bnc #396979) - version 4.26.2 - revision 10336 @@ -61,7 +69,7 @@ Tue Jun 3 19:44:59 CEST 2008 - ma@suse.de - Take care satsolver recognizes 'Capability( "srcpackage:zypper" )' - as 'source package named zypper'. So these capabilities can be used + as 'source package named zypper'. So these capabilities can be used together with sat::Whatprovides or in resolver requests. (bnc #369893) - version 4.26.1 - revision 10333 @@ -69,7 +77,7 @@ ------------------------------------------------------------------- Mon Jun 2 17:57:22 CEST 2008 - ma@suse.de -- Allow to skip/abort failed package removal. (bnc #226041) +- Allow to skip/abort failed package removal. (bnc #226041) - revision 10319 ------------------------------------------------------------------- @@ -77,7 +85,7 @@ - import newer keys if a trusted key is updated (bnc#393160) -- add message attribute to patches. +- add message attribute to patches. - 4.26.0 ------------------------------------------------------------------- @@ -121,7 +129,7 @@ - SOLVER_ERASE_SOLVABLE_NAME: As we do not know, if this request has come from resolvePool or resolveQueue we will have to take care for both - cases. (bnc#393969) + cases. (bnc#393969) - r 10252 ------------------------------------------------------------------- @@ -140,7 +148,7 @@ - Do not regard packages with the same name while upgrading obsoleted packages (bnc#394367) -- r 10219 +- r 10219 ------------------------------------------------------------------- Sat May 24 01:23:44 CEST 2008 - dmacvicar@suse.de @@ -160,16 +168,16 @@ ------------------------------------------------------------------- Fri May 23 14:42:34 CEST 2008 - schubi@suse.de -- Added IgnoreAlreadyRecommended flag. So recomments/suggest will +- Added IgnoreAlreadyRecommended flag. So recomments/suggest will be ignored for already INSTALLED packages (bnc #389694) -- r 10202 +- r 10202 ------------------------------------------------------------------- Fri May 23 10:22:47 CEST 2008 - schubi@suse.de - Packages which obsoletes and do NOT required other installed packages will be installed if no other packages obsolete the installed package too. -- r 10196 +- r 10196 ------------------------------------------------------------------- Thu May 22 02:22:29 CEST 2008 - dmacvicar@suse.de @@ -189,13 +197,13 @@ ------------------------------------------------------------------- Wed May 21 11:37:23 CEST 2008 - schubi@suse.de -- added onlyRequires in the testcase (bnc #389184) +- added onlyRequires in the testcase (bnc #389184) ------------------------------------------------------------------- Tue May 20 12:12:27 CEST 2008 - jreidinger@suse.cz - allow installation and refreshing from repository with alias that - contains ' or " (bnc #392426) + contains ' or " (bnc #392426) - r10158 ------------------------------------------------------------------- @@ -208,7 +216,7 @@ Mon May 19 18:13:19 CEST 2008 - schubi@suse.de - Resetting Delete Details in ResStatus correctly (bnc #391785) -- r 10145 +- r 10145 ------------------------------------------------------------------- Mon May 19 11:47:06 CEST 2008 - dmacvicar@suse.de @@ -222,7 +230,7 @@ - Added new calls : isInstalledBy (const PoolItem item); installs (const PoolItem item); -- r 10125 +- r 10125 - 4.23.0 ------------------------------------------------------------------- @@ -236,22 +244,22 @@ Fri May 16 09:59:09 CEST 2008 - jreidinger@suse.cz - throw more describing exception when repo probing failed - (bnc #389690) + (bnc #389690) - revision 10118 ------------------------------------------------------------------- Thu May 15 15:15:59 CEST 2008 - jreidinger@suse.cz - allow call only merge old locks and newly added/removed without - saving it to file -- -revision 10104 + saving it to file +- -revision 10104 ------------------------------------------------------------------- Tue May 13 17:37:11 CEST 2008 - dmacvicar@suse.de - report non packages as keep installed if satisfied to the user interace (Selectables) -- 4.21.3 +- 4.21.3 ------------------------------------------------------------------- Tue May 13 15:50:28 CEST 2008 - jkupec@suse.cz @@ -287,11 +295,11 @@ ------------------------------------------------------------------- Fri May 9 21:28:42 CEST 2008 - ma@suse.de -- Add zypp.conf option configdir (/etc/zypp) and arrange +- Add zypp.conf option configdir (/etc/zypp) and arrange all config files and directories to follow {configdir} per default. -- Fix zypp-query-pool to print satisfied products and additional - products defined in {configdir}/products.d for registration. +- Fix zypp-query-pool to print satisfied products and additional + products defined in {configdir}/products.d for registration. (bnc #385868) - version 4.21.0 - revision 10029 @@ -299,7 +307,7 @@ ------------------------------------------------------------------- Fri May 9 15:30:40 CEST 2008 - jreidinger@suse.cz -- implement remove duplicate entries in lock file (bnc#385967) +- implement remove duplicate entries in lock file (bnc#385967) ------------------------------------------------------------------- Fri May 9 15:15:32 CEST 2008 - ma@suse.de @@ -317,7 +325,7 @@ ------------------------------------------------------------------- Thu May 8 16:33:37 CEST 2008 - ma@suse.de -- Support optional root argument to RepoManagerOptions, to prefix all +- Support optional root argument to RepoManagerOptions, to prefix all path names taken from ZConfig. (bnc #388265) - version 4.20.0 - revision 9993 @@ -326,19 +334,19 @@ Thu May 8 14:21:51 CEST 2008 - schubi@suse.de - new solution action for removing requirements/conflicts (bnc #387631) -- revision 9988 +- revision 9988 ------------------------------------------------------------------- Thu May 8 10:56:49 CEST 2008 - ma@suse.de -- Provide enumerated patch category 'Patch::categoryEnum()' (bnc #159100) +- Provide enumerated patch category 'Patch::categoryEnum()' (bnc #159100) - revision 9984 ------------------------------------------------------------------- Wed May 7 13:52:24 CEST 2008 - schubi@suse.de - DistUpgrade: searching for providers -> regarding name onl -- r 9977 +- r 9977 ------------------------------------------------------------------- Tue May 6 17:35:59 CEST 2008 - dmacvicar@suse.de @@ -361,17 +369,17 @@ ------------------------------------------------------------------- Mon May 5 09:55:29 CEST 2008 - schubi@suse.de -- Switch off the upgrade mode of the - SAT solver cause the packages have already been evaluated by +- Switch off the upgrade mode of the + SAT solver cause the packages have already been evaluated by the distupgrade machanism of libzypp. (bnc #386375) -- rev 9943 +- rev 9943 ------------------------------------------------------------------- Fri May 2 16:36:04 CEST 2008 - jreidinger@suse.cz - release file after copy to cache as soon as possible. (bnc #381311) -- r9940 +- r9940 ------------------------------------------------------------------- Fri May 2 16:28:05 CEST 2008 - schubi@suse.de @@ -379,28 +387,28 @@ - Bugfix: keep states by user has been removed it the package has not been installed BUT has been recommended by another package. (bnc #385832) -- rev 9938 +- rev 9938 ------------------------------------------------------------------- Fri May 2 12:19:22 CEST 2008 - jreidinger@suse.cz - add isLocal function to Url which say if scheme is local or - internet. + internet. - r9932 ------------------------------------------------------------------- Fri May 2 09:36:18 CEST 2008 - jreidinger@suse.cz - cache decision for repository depend on his url. -- http,ftp and smb cache packages. +- http,ftp and smb cache packages. - revision 9929 ------------------------------------------------------------------- Thu May 1 00:50:51 CEST 2008 - ma@suse.de - Load and maintain persistent hard locks stored in /etc/zypp/locks. - Locks are loaded together with the target, and changes are writen - back on commit. zypp.conf option locksfile.apply can be used to turn + Locks are loaded together with the target, and changes are writen + back on commit. zypp.conf option locksfile.apply can be used to turn this feature on or off. (FATE #120352) - version 4.18.0 - revision 9927 @@ -408,7 +416,7 @@ ------------------------------------------------------------------- Wed Apr 30 16:27:49 CEST 2008 - ma@suse.de -- Add zypp.conf option solvfilesdir: Path where the repo solv files +- Add zypp.conf option solvfilesdir: Path where the repo solv files are created. Default value: {cachedir}/solv. - Target and repositories now save their solvfiles below {solvfilesdir} in directories named after the repositories alias. @@ -425,7 +433,7 @@ Tue Apr 29 16:37:19 CEST 2008 - schubi@suse.de - cleanup in return values of doUpgrade and doUpdate -- r9886 +- r9886 - 4.17.0 ------------------------------------------------------------------- @@ -443,7 +451,7 @@ ------------------------------------------------------------------- Mon Apr 28 15:25:46 CEST 2008 - schubi@suse.de -- added translations +- added translations ------------------------------------------------------------------- Mon Apr 28 11:15:47 CEST 2008 - jkupec@suse.cz @@ -454,7 +462,7 @@ ------------------------------------------------------------------- Fri Apr 25 16:12:12 CEST 2008 - ma@suse.de -- Prevent target::unload from creating a system repo in order +- Prevent target::unload from creating a system repo in order to unload it. (bnc 382297) - version 4.15.2 - revision 9822 @@ -462,9 +470,9 @@ ------------------------------------------------------------------- Fri Apr 25 14:15:17 CEST 2008 - ma@suse.de -- Prevent deselected or deleted items from being re-selected due to - recommends (aka. persistent soft locks). Unlike hard locked, those - items will be automatically selected if required. The list of soft +- Prevent deselected or deleted items from being re-selected due to + recommends (aka. persistent soft locks). Unlike hard locked, those + items will be automatically selected if required. The list of soft locked items is stored in /var/lib/zypp/SoftLocks. - version 4.15.1 - revision 9818 @@ -480,9 +488,9 @@ ------------------------------------------------------------------- Wed Apr 23 21:12:56 CEST 2008 - ma@suse.de -- Support dependencies requiring a specific architecture: - "name[.arch] [op edition]". See class Capability for details - about how to construct dependencies. (bnc #305445) +- Support dependencies requiring a specific architecture: + "name[.arch] [op edition]". See class Capability for details + about how to construct dependencies. (bnc #305445) - version 4.15.0 - revision 9805 @@ -497,7 +505,7 @@ - change locks api - - make more functions const -- replace add/remove by selectable to add/remove by ident or name and kind +- replace add/remove by selectable to add/remove by ident or name and kind - rename iterator to const_iterator to avoid confusion - revision 9781 @@ -505,7 +513,7 @@ Tue Apr 22 13:55:14 CEST 2008 - schubi@suse.de - Do architecture changes while "dup" in the external distribution - upgrade ONLY. bnc #382274 + upgrade ONLY. bnc #382274 - Added "ignore" to the solutions - Added "self-conflicts" to the solution - added new solver mechanism "resolveQueue" @@ -522,8 +530,8 @@ ------------------------------------------------------------------- Mon Apr 21 15:38:10 CEST 2008 - ma@suse.de -- Added Target::release(), returning the targets distribution - release string. +- Added Target::release(), returning the targets distribution + release string. - revision 9761 ------------------------------------------------------------------- @@ -549,7 +557,7 @@ ------------------------------------------------------------------- Wed Apr 16 15:00:19 CEST 2008 - ma@suse.de -- Disable fast creation of @System.solv. It may produce wrong results +- Disable fast creation of @System.solv. It may produce wrong results e.g. after a rebuilddb. - version 4.13.1 - revision 9666 @@ -569,7 +577,7 @@ - save do nothing if no locks added/removed - fix bug with multiple save lock - don't save same query multiple times -- improve tests +- improve tests - revision 9644 ------------------------------------------------------------------- @@ -578,7 +586,7 @@ - added new translations - activate zypp-query-pool - Revision 9637 -- 4.12.1 +- 4.12.1 ------------------------------------------------------------------- Tue Apr 15 00:54:07 CEST 2008 - jkupec@suse.cz @@ -628,8 +636,8 @@ Fri Apr 11 14:43:05 CEST 2008 - ma@suse.de - Fix SolvIterMixin to avioid multiple visits of the same Selectable. -- Add Resolvable::poolItem() providing access to the corresponding - PoolItem. API to query isRelevant/isSatisfied/isBroken was moved +- Add Resolvable::poolItem() providing access to the corresponding + PoolItem. API to query isRelevant/isSatisfied/isBroken was moved to PoolItem. - Add ResPool::satisfiedProductsBegin/End iterator over all products whose dependencies are satisfied. This reflects the status determined @@ -640,19 +648,19 @@ Fri Apr 11 12:07:47 CEST 2008 - jreidinger@suse.cz - switch to new locks api -- revision 9524 +- revision 9524 ------------------------------------------------------------------- Wed Apr 9 21:24:54 CEST 2008 - ma@suse.de - Enable ui::Selectable lookup by Solvable/PoolItem in ResPoolProxy. -- Add SolvIterMixin: Base class providing PoolItem_iterator and +- Add SolvIterMixin: Base class providing PoolItem_iterator and Selectable_iterator iterator types based on a Solvable iterator. - Enhanced WhatProvides and SolvableSet to PoolItem_iterator to offer PoolItem_iterator and Selectable_iterator. -- Add Solvable::SplitIdent: Helper class that splits an identifier +- Add Solvable::SplitIdent: Helper class that splits an identifier into kind and name. -- Provide methods Pattern::contents returning a collection of packages +- Provide methods Pattern::contents returning a collection of packages associated with the pattern/patch. - revision 9496 @@ -660,18 +668,18 @@ Tue Apr 8 15:50:48 CEST 2008 - jreidinger@suse.cz - add comparing to PoolQuery -- revision 9466 +- revision 9466 ------------------------------------------------------------------- Tue Apr 8 13:18:30 CEST 2008 - jreidinger@suse.cz -- move RepoInfo to universal RepoException. This can enable more verbose output - for frontend. (helps with bnc #377137) +- move RepoInfo to universal RepoException. This can enable more verbose output - for frontend. (helps with bnc #377137) - revision 9452 ------------------------------------------------------------------- Tue Apr 8 10:52:30 CEST 2008 - jreidinger@suse.cz -- initial implementation of new locks (FATE #120118 and #120352) +- initial implementation of new locks (FATE #120118 and #120352) - revision 9442 ------------------------------------------------------------------- @@ -684,7 +692,7 @@ Fri Apr 4 14:01:45 CEST 2008 - jreidinger@suse.cz - add split with respect to escaped delimeters and also for quotes -- revision 9373 +- revision 9373 ------------------------------------------------------------------- Thu Apr 3 12:55:50 CEST 2008 - ma@suse.de @@ -696,7 +704,7 @@ Thu Apr 3 11:59:13 CEST 2008 - ma@suse.de - Allow to store a media label in MediaSetAccess. This label is - passed to a media change requests to describe which CD is + passed to a media change requests to describe which CD is requested. (bnc #330094) - Fixed some missing package and source package attributes. - revision 9347 @@ -705,25 +713,25 @@ Wed Apr 2 13:48:52 CEST 2008 - schubi@suse.de - Moved poolItem.status().isSatisfied(),.... to poolItem.isSatisfied() -- Removed establish state in ResStatus +- Removed establish state in ResStatus - revision 9337 - version 4.7.0 ------------------------------------------------------------------- Wed Apr 2 10:24:17 CEST 2008 - ma@suse.de -- Add PoolItem::isSatisfied()/isBroken() to test whether +- Add PoolItem::isSatisfied()/isBroken() to test whether the items requirements are met. - revision 9334 ------------------------------------------------------------------- Tue Apr 1 21:54:10 CEST 2008 - ma@suse.de -- Extend sat::WhatProvides to allow to query for possible providers - of a collection of capabilies. E.g. all providers of a packages +- Extend sat::WhatProvides to allow to query for possible providers + of a collection of capabilies. E.g. all providers of a packages requirements. -- Fixed retrieval of translated texts from .solv files, provided the - solv file contains them. +- Fixed retrieval of translated texts from .solv files, provided the + solv file contains them. - revision 9328 ------------------------------------------------------------------- @@ -737,7 +745,7 @@ Wed Mar 26 16:15:24 CET 2008 - ma@suse.de - Allow prioritizing repos by adding a line 'priority=N' to the - .repo file. Where N is an integer number from 1 (highest prio) + .repo file. Where N is an integer number from 1 (highest prio) to 99 (least and default). (bnc #369827, fate #302872) - version 4.6.1 - revision 9276 @@ -768,13 +776,13 @@ Thu Mar 20 15:00:24 CET 2008 - jreidinger@suse.cz - return more information from checking if metadata need refresh, - so user can get better info. (bnc #307249) + so user can get better info. (bnc #307249) - revision 9231 ------------------------------------------------------------------- Tue Mar 18 21:59:04 CET 2008 - ma@suse.de -- class sat::LocaleSupport: Convenience methods to manage support +- class sat::LocaleSupport: Convenience methods to manage support for language specific packages. - revision 9197 @@ -819,19 +827,19 @@ Fri Mar 14 12:07:41 CET 2008 - jreidinger@suse.cz - Save repo type during refresh if type is NONE (f.e. lazy probing). -- revision 9153 +- revision 9153 ------------------------------------------------------------------- Fri Mar 14 11:34:24 CET 2008 - jreidinger@suse.cz - replace gpg escaped semicolon with real semicolon (bnc #355434) -- revision 9151 +- revision 9151 ------------------------------------------------------------------- Fri Mar 14 10:17:41 CET 2008 - jreidinger@suse.cz - make strings from RpmDb and Keyring exceptions translatable -- revision 9146 +- revision 9146 ------------------------------------------------------------------- Thu Mar 13 18:41:26 CET 2008 - dmacvicar@suse.de @@ -842,7 +850,7 @@ ------------------------------------------------------------------- Thu Mar 13 18:40:57 CET 2008 - jreidinger@suse.cz -- enable frontend to rewrite add_probe settings.(bnc #309612) +- enable frontend to rewrite add_probe settings.(bnc #309612) - Correct adding repo without type to lazy probing. - revision 9135 @@ -918,13 +926,13 @@ ------------------------------------------------------------------- Wed Mar 5 11:33:26 CET 2008 - ma@suse.de - + - Try to rebuild broken solv files in Target::load. - revision 9015 ------------------------------------------------------------------- Tue Mar 4 18:17:41 CET 2008 - ma@suse.de - + - Try to rebuild broken solv files in RepoManager::loadFromCache. - Fix RepoStatus::operator&& and RepoStatus testsuite. - revision 9008 @@ -938,7 +946,7 @@ ------------------------------------------------------------------- Tue Mar 4 12:57:58 CET 2008 - ma@suse.de - + - Save and restore requested locales on target load/commit. - revision 8999 @@ -946,7 +954,7 @@ Mon Mar 3 17:10:26 CET 2008 - schubi@suse.de - (Update) Prevent reinstallation of installed packages. -- revision 8984 +- revision 8984 ------------------------------------------------------------------- Sun Mar 2 16:13:16 CET 2008 - coolo@suse.de @@ -984,7 +992,7 @@ ------------------------------------------------------------------- Tue Feb 26 13:26:30 CET 2008 - ma@suse.de - + - Fixed Capabilites iterator exposing prereq marker. - revision 8914 @@ -998,11 +1006,11 @@ Mon Feb 25 17:06:53 CET 2008 - schubi@suse.de - Testcases regards modaliases, rpmlib, ... correctly -- Revision 8904 +- Revision 8904 ------------------------------------------------------------------- Mon Feb 25 13:20:26 CET 2008 - ma@suse.de - + - Remove obsolete sql database. (bnc#363224) - revision 8898 Modified: branches/SuSE-Linux-11_0-Branch/libzypp/zypp/KeyRing.cc URL: http://svn.opensuse.org/viewcvs/zypp/branches/SuSE-Linux-11_0-Branch/libzypp/zypp/KeyRing.cc?rev=10497&r1=10496&r2=10497&view=diff ============================================================================== --- branches/SuSE-Linux-11_0-Branch/libzypp/zypp/KeyRing.cc (original) +++ branches/SuSE-Linux-11_0-Branch/libzypp/zypp/KeyRing.cc Fri Jul 4 17:42:38 2008 @@ -249,7 +249,7 @@ for (list<PublicKey>::const_iterator it = keys.begin(); it != keys.end(); it++) { if ( id == (*it).id() ) - + return true; } return false; @@ -345,14 +345,17 @@ if ( publicKeyExists( id, generalKeyRing() ) ) { PublicKey untkey = exportKey( id, generalKeyRing() ); - if ( untkey.created() > key.created() ) + // bnc #393160: Comment #30: Compare at least the fingerprint + // in case an attacker created a key the the same id. + if ( untkey.fingerprint() == key.fingerprint() + && untkey.created() > key.created() ) { MIL << "Key " << key << " was updated. Saving new version into trusted keyring." << endl; importKey( untkey, true ); key = untkey; } } - + MIL << "Key " << id << " " << key.name() << " is trusted" << endl; // it exists, is trusted, does it validates? if ( verifyFile( file, signature, trustedKeyRing() ) ) -- To unsubscribe, e-mail: zypp-commit+unsubscribe@opensuse.org For additional commands, e-mail: zypp-commit+help@opensuse.org