Revert "Don't confuse OpenScanHub with false array overrun"

Yikes. This was a rushed "fix" that caused a regression in --verify mode with the following error message: Header RSA signature: BAD (header tag 268: invalid OpenPGP signature) This was immediately caught by the CI (thank god we have it!). Since this patch was downstream-only (no internal OpenPGP parser in rpm upstream anymore), it didn't go through the usual peer review. I should have asked for it in GitLab still, no matter how innocent and tiny the change appears to be (lesson learned). Anyway, it's probably going to be safer to just mark this finding as a false positive (which it really is), as opposed to touching the code. Let's revisit later, for now, just revert. This reverts commit ae9528bbef. Related: RHEL-22607
2024-07-12 16:29:44 +02:00 · 2024-07-12 16:29:44 +02:00 · b3bd2e82c5
commit b3bd2e82c5
parent cf0fff1708
2 changed files with 4 additions and 14 deletions
--- a/rpm-4.16.1.3-pgp-explicit-pointer-increment.patch
+++ b/rpm-4.16.1.3-pgp-explicit-pointer-increment.patch
@ -1,12 +0,0 @@
-diff -up rpm-4.16.1.3/rpmio/rpmpgp.c.orig rpm-4.16.1.3/rpmio/rpmpgp.c
--- rpm-4.16.1.3/rpmio/rpmpgp.c.orig	2024-07-11 13:20:04.872431485 +0200
-+++ rpm-4.16.1.3/rpmio/rpmpgp.c	2024-07-11 13:20:33.828279453 +0200
-@@ -619,7 +619,7 @@ static int pgpPrtSig(pgpTag tag, const u
- 	p = &v->hashlen[0];
- 	if (pgpGet(v->hashlen, sizeof(v->hashlen), h + hlen, &plen))
- 	    return 1;
-	p += sizeof(v->hashlen);
-+	p = h + sizeof(v);
- 
- 	if ((p + plen) > (h + hlen))
- 	    return 1;
--- a/rpm.spec
+++ b/rpm.spec
@ -32,7 +32,7 @@

 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 31
+%global rel 32
 %global sover 9

 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@ -135,7 +135,6 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch
 Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch
 Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch
 Patch1002: 0001-Macroize-find-debuginfo-script-location.patch
-Patch1003: rpm-4.16.1.3-pgp-explicit-pointer-increment.patch

 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
@ -664,6 +663,9 @@ fi
 %doc doc/librpm/html/*

 %changelog
+* Fri Jul 12 2024 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-32
+- Revert incorrect fix for false array overrun (RHEL-22607)
+
 * Fri Jul 12 2024 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-31
 - Fix potential use of uninitialized pipe array (RHEL-22604)
 - Fix potential use of uninitialized pgp struct (RHEL-22605)