We are intentionally skipping just past the header here (see RFC 4880
for details) so make that explicit by moving the pointer relative to the
header's start as opposed to relative to the pointer itself.
This is equivalent to the previous expression but makes OpenScanHub
happy.
Resolves: RHEL-22607
Yikes. This was a rushed "fix" that caused a regression in --verify
mode with the following error message:
Header RSA signature: BAD (header tag 268: invalid OpenPGP signature)
This was immediately caught by the CI (thank god we have it!).
Since this patch was downstream-only (no internal OpenPGP parser in rpm
upstream anymore), it didn't go through the usual peer review. I should
have asked for it in GitLab still, no matter how innocent and tiny the
change appears to be (lesson learned).
Anyway, it's probably going to be safer to just mark this finding as a
false positive (which it really is), as opposed to touching the code.
Let's revisit later, for now, just revert.
This reverts commit ae9528bbef.
Related: RHEL-22607
We are intentionally skipping just past the header here (see RFC 4880
for details) so make that explicit by moving the pointer relative to the
header's start as opposed to relative to the pointer itself.
This is equivalent to the previous expression but makes OpenScanHub
happy.
Resolves: RHEL-22607
Fixes CVE-2021-35937, CVE-2021-35938 and CVE-2021-35939
Patches include small changes found in other patches. See RHEL-8.10
patch set for intermediate steps.
Resolves: RHEL-14598 RHEL-14599 RHEL-14600
This file has been completely removed upstream in the meantime (as part
of the debuginfo tooling split off in commit 04b0805) so this patch will
only be carried downstream.
The issue here was that htab->entries would be freed at the end of
htab_expand() if the htab->return_allocation_failure toggle was 0, and
later accessed in the calling function(s).
In reality, though, the toggle is initialized to 1 and never turned off
in the current implementation, but let's future-proof ourselves in case
we inadvertently turn it off in a future patch.
Found by Coverity.
Related: #1938861
