import rpm-4.14.3-21.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
9ae23daa16
commit
f13aec5d06
@ -1,4 +1,4 @@
|
|||||||
From 92d942a2da619852c2b223e09a645110e867fc67 Mon Sep 17 00:00:00 2001
|
From 82c53e4b7f720012a391d8f6e5da9ee3c4f22bed Mon Sep 17 00:00:00 2001
|
||||||
From: Demi Marie Obenour <demi@invisiblethingslab.com>
|
From: Demi Marie Obenour <demi@invisiblethingslab.com>
|
||||||
Date: Thu, 6 May 2021 18:34:45 -0400
|
Date: Thu, 6 May 2021 18:34:45 -0400
|
||||||
Subject: [PATCH] Validate and require subkey binding signatures on PGP public
|
Subject: [PATCH] Validate and require subkey binding signatures on PGP public
|
||||||
@ -18,22 +18,25 @@ Combined with:
|
|||||||
5ff86764b17f31535cb247543a90dd739076ec38
|
5ff86764b17f31535cb247543a90dd739076ec38
|
||||||
b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
|
b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
|
||||||
9f03f42e2614a68f589f9db8fe76287146522c0c
|
9f03f42e2614a68f589f9db8fe76287146522c0c
|
||||||
|
b6dffb6dc5ffa2ddc389743f0507876cab341315 (mem-leak fix)
|
||||||
|
ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 (use-after-free fix)
|
||||||
|
|
||||||
Fixes CVE-2021-3521.
|
Fixes CVE-2021-3521.
|
||||||
---
|
---
|
||||||
rpmio/rpmpgp.c | 123 +++++++++++++++---
|
rpmio/rpmpgp.c | 122 +++++++++++++++---
|
||||||
|
sign/rpmgensig.c | 2 +-
|
||||||
tests/Makefile.am | 3 +
|
tests/Makefile.am | 3 +
|
||||||
tests/data/keys/CVE-2021-3521-badbind.asc | 25 ++++
|
tests/data/keys/CVE-2021-3521-badbind.asc | 25 ++++
|
||||||
.../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 ++++
|
.../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 ++++
|
||||||
tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 ++++++
|
tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 ++++++
|
||||||
tests/rpmsigdig.at | 28 ++++
|
tests/rpmsigdig.at | 28 ++++
|
||||||
6 files changed, 224 insertions(+), 17 deletions(-)
|
7 files changed, 224 insertions(+), 18 deletions(-)
|
||||||
create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
|
create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
|
||||||
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
|
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
|
||||||
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
|
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
|
||||||
|
|
||||||
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
|
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
|
||||||
index 46cd0f31a..fbb131a28 100644
|
index 46cd0f31a..bd4992ec7 100644
|
||||||
--- a/rpmio/rpmpgp.c
|
--- a/rpmio/rpmpgp.c
|
||||||
+++ b/rpmio/rpmpgp.c
|
+++ b/rpmio/rpmpgp.c
|
||||||
@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
|
@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
|
||||||
@ -76,7 +79,7 @@ index 46cd0f31a..fbb131a28 100644
|
|||||||
} break;
|
} break;
|
||||||
default:
|
default:
|
||||||
rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
|
rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
|
||||||
@@ -999,36 +997,128 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
|
@@ -999,36 +997,127 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
|
||||||
return algo;
|
return algo;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -178,12 +181,11 @@ index 46cd0f31a..fbb131a28 100644
|
|||||||
- p += (pkt.body - pkt.head) + pkt.blen;
|
- p += (pkt.body - pkt.head) + pkt.blen;
|
||||||
+ if (selfsig) {
|
+ if (selfsig) {
|
||||||
+ /* subkeys must be followed by binding signature */
|
+ /* subkeys must be followed by binding signature */
|
||||||
+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
|
+ int xx = 1; /* assume failure */
|
||||||
+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ int xx = pgpVerifySelf(digp, selfsig, all, i);
|
+ if (!(prevtag == PGPTAG_PUBLIC_SUBKEY &&
|
||||||
|
+ selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING))
|
||||||
|
+ xx = pgpVerifySelf(digp, selfsig, all, i);
|
||||||
+
|
+
|
||||||
+ selfsig = pgpDigParamsFree(selfsig);
|
+ selfsig = pgpDigParamsFree(selfsig);
|
||||||
+ if (xx)
|
+ if (xx)
|
||||||
@ -213,7 +215,7 @@ index 46cd0f31a..fbb131a28 100644
|
|||||||
if (ret && rc == 0) {
|
if (ret && rc == 0) {
|
||||||
*ret = digp;
|
*ret = digp;
|
||||||
} else {
|
} else {
|
||||||
@@ -1063,8 +1153,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
|
@@ -1063,8 +1152,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
|
||||||
digps = xrealloc(digps, alloced * sizeof(*digps));
|
digps = xrealloc(digps, alloced * sizeof(*digps));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -223,6 +225,19 @@ index 46cd0f31a..fbb131a28 100644
|
|||||||
/* Copy UID from main key to subkey */
|
/* Copy UID from main key to subkey */
|
||||||
digps[count]->userid = xstrdup(mainkey->userid);
|
digps[count]->userid = xstrdup(mainkey->userid);
|
||||||
|
|
||||||
|
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
|
||||||
|
index 771d01098..b33fe996c 100644
|
||||||
|
--- a/sign/rpmgensig.c
|
||||||
|
+++ b/sign/rpmgensig.c
|
||||||
|
@@ -409,7 +409,7 @@ static int haveSignature(rpmtd sigtd, Header h)
|
||||||
|
pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
|
||||||
|
if (pgpDigParamsCmp(sig1, sig2) == 0)
|
||||||
|
rc = 1;
|
||||||
|
- pgpDigParamsFree(sig2);
|
||||||
|
+ sig2 = pgpDigParamsFree(sig2);
|
||||||
|
}
|
||||||
|
pgpDigParamsFree(sig1);
|
||||||
|
rpmtdFreeData(&oldtd);
|
||||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
index 5f5207e56..309347262 100644
|
index 5f5207e56..309347262 100644
|
||||||
--- a/tests/Makefile.am
|
--- a/tests/Makefile.am
|
||||||
@ -382,5 +397,5 @@ index 09fcdd525..a74f400ae 100644
|
|||||||
# Test pre-built package verification
|
# Test pre-built package verification
|
||||||
AT_SETUP([rpmkeys -K <signed> 1])
|
AT_SETUP([rpmkeys -K <signed> 1])
|
||||||
--
|
--
|
||||||
2.33.1
|
2.34.1
|
||||||
|
|
||||||
|
|||||||
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
%global rpmver 4.14.3
|
%global rpmver 4.14.3
|
||||||
#global snapver rc2
|
#global snapver rc2
|
||||||
%global rel 20
|
%global rel 21
|
||||||
|
|
||||||
%global srcver %{version}%{?snapver:-%{snapver}}
|
%global srcver %{version}%{?snapver:-%{snapver}}
|
||||||
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
||||||
@ -692,6 +692,9 @@ make check || cat tests/rpmtests.log
|
|||||||
%doc doc/librpm/html/*
|
%doc doc/librpm/html/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 10 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-21
|
||||||
|
- Address covscan issues in binding sigs validation patch (#1958480)
|
||||||
|
|
||||||
* Thu Dec 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-20
|
* Thu Dec 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-20
|
||||||
- Add --path query option (#1940895)
|
- Add --path query option (#1940895)
|
||||||
- Macroize find-debuginfo script location (#2019540)
|
- Macroize find-debuginfo script location (#2019540)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user