Dpkg: Fix OpenPGP armored signature parsing

Change parsing code to honour RFC4880. Handle whitespaces at EOL, and
correctly expect five trailing dashes on the Armor Header Lines.

Closes: #695919

Reported-by: Ansgar Burchardt <ansgar@debian.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/scripts/Dpkg/Control/Hash.pm b/scripts/Dpkg/Control/Hash.pm
index fabcf68de..623ca73fe 100644
--- a/scripts/Dpkg/Control/Hash.pm
+++ b/scripts/Dpkg/Control/Hash.pm
@@ -193,31 +193,32 @@ sub parse {
 		$line = substr $line, 1;
 	    }
 	    $self->{$cf} .= "\n$line";
-	} elsif (m/^-----BEGIN PGP SIGNED MESSAGE/) {
+	} elsif (m/^-----BEGIN PGP SIGNED MESSAGE-----$/) {
 	    $expect_pgp_sig = 1;
 	    if ($$self->{'allow_pgp'}) {
 		# Skip PGP headers
 		while (<$fh>) {
-		    last if m/^$/;
+		    last if m/^\s*$/;
 		}
 	    } else {
 		syntaxerr($desc, _g("PGP signature not allowed here"));
 	    }
-	} elsif (m/^$/ || ($expect_pgp_sig && m/^-----BEGIN PGP SIGNATURE/)) {
+	} elsif (m/^$/ || ($expect_pgp_sig && m/^-----BEGIN PGP SIGNATURE-----$/)) {
 	    if ($expect_pgp_sig) {
 		# Skip empty lines
 		$_ = <$fh> while defined($_) && $_ =~ /^\s*$/;
 		length($_) ||
                     syntaxerr($desc, _g("expected PGP signature, found EOF " .
                                         "after blank line"));
-		s/\n$//;
-		unless (m/^-----BEGIN PGP SIGNATURE/) {
+		s/\s*\n$//;
+		unless (m/^-----BEGIN PGP SIGNATURE-----$/) {
 		    syntaxerr($desc, sprintf(_g("expected PGP signature, " .
                                                 "found something else \`%s'"), $_));
                 }
 		# Skip PGP signature
 		while (<$fh>) {
-		    last if m/^-----END PGP SIGNATURE/;
+		    s/\s*\n$//;
+		    last if m/^-----END PGP SIGNATURE-----$/;
 		}
 		unless (defined($_)) {
                     syntaxerr($desc, _g("unfinished PGP signature"));