Skip to content

gnupg: add patch disallowing compressed signatures and certificates#180336

Merged
mweinelt merged 1 commit intoNixOS:staging-nextfrom
stigtsp:fix/gnupg-disallow-compressed-sigs
Jul 6, 2022
Merged

gnupg: add patch disallowing compressed signatures and certificates#180336
mweinelt merged 1 commit intoNixOS:staging-nextfrom
stigtsp:fix/gnupg-disallow-compressed-sigs

Conversation

@stigtsp
Copy link
Member

@stigtsp stigtsp commented Jul 6, 2022
edited by mweinelt
Loading

Description of changes

Adds a patch by Demi Marie Obenour that disallows compressed signatures and certificates to prevent DoS attacks.

https://seclists.org/oss-sec/2022/q3/9
https://seclists.org/oss-sec/2022/q3/27

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@stigtsp stigtsp added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 6, 2022
@stigtsp stigtsp requested review from alyssais, fpletz and mweinelt July 6, 2022 12:14
@ofborg ofborg bot requested a review from vrthra July 6, 2022 12:22
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jul 6, 2022
@stigtsp stigtsp requested a review from vcunat July 6, 2022 12:38
@mweinelt mweinelt merged commit 268c675 into NixOS:staging-next Jul 6, 2022
@stigtsp stigtsp mentioned this pull request Jul 6, 2022
Merged
13 tasks
@vcunat
Copy link
Member

vcunat commented Jul 7, 2022
edited
Loading

This patch broke tests of gpgme and thus many builds.

EDIT: the log is a little messy, so let me post the relevant part:

t-verify:310: Double plaintext message not detected
FAIL: t-verify

@vcunat vcunat mentioned this pull request Jul 7, 2022
Merged
@stigtsp
Copy link
Member Author

stigtsp commented Jul 7, 2022

This patch broke tests of gpgme and thus many builds.

Ok, would need to look into the test and see if it can be skipped. Unfortunately, I can't work on this today :-/

@vcunat
Copy link
Member

vcunat commented Jul 7, 2022

So, it seems very likely that it's the test's fault, not an oversight in the patch?

@stigtsp
Copy link
Member Author

stigtsp commented Jul 7, 2022

Yes, i believe so. Have confirmed that the patch fixes the problem described by the author, i.e. rejecting the problematic signature.

vcunat added a commit that referenced this pull request Jul 7, 2022
@vcunat
gpgme: fix a test after disallowing compressed signatures
db6b3e0 
/cc PR #180336

I'm not entirely sure about this, as I couldn't spend much time, but
it seemed plausible that the patch caused a different kind of errors
in this tested case - though it's possible I messed the test up.
Either way, the tests seem to pass now, unblocking the CVE fixes ;-)
@vcunat
Copy link
Member

vcunat commented Jul 7, 2022

OK, for now: db6b3e0

@vcunat
Copy link
Member

vcunat commented Jul 7, 2022

Eww, with 1fc7604

@stigtsp
Copy link
Member Author

stigtsp commented Jul 7, 2022

Hi @DemiMarie! Thx for posting about the recent issues with GnuPG on oss-sec.

Just CCing you on this issue as the patch seems to break tests in gpgme, in case you have any advice if 1fc7604 is reasonable.

@DemiMarie
Copy link

DemiMarie commented Jul 7, 2022

Hi @DemiMarie! Thx for posting about the recent issues with GnuPG on oss-sec.

You’re welcome! I should probably fix the cleartext signature case at some point too.

Just CCing you on this issue as the patch seems to break tests in gpgme, in case you have any advice if 1fc7604 is reasonable.

It does look reasonable, but for a security patch a better approach might be to use BAD_DATA instead of UNEXPECTED elsewhere in the code.

vcunat added a commit that referenced this pull request Jul 8, 2022
@vcunat
python3.pkgs.gpgme: fix a test
add0201 
This is a python counterpart of commit db6b3e0; /cc PR #180336
stigtsp pushed a commit to stigtsp/nixpkgs that referenced this pull request Jul 8, 2022
@vcunat @stigtsp
gpgme: fix a test after disallowing compressed signatures
c9c9f2a 
/cc PR NixOS#180336

I'm not entirely sure about this, as I couldn't spend much time, but
it seemed plausible that the patch caused a different kind of errors
in this tested case - though it's possible I messed the test up.
Either way, the tests seem to pass now, unblocking the CVE fixes ;-)

(cherry picked from commit db6b3e0)
stigtsp pushed a commit to stigtsp/nixpkgs that referenced this pull request Jul 8, 2022
@vcunat @stigtsp
python3.pkgs.gpgme: fix a test
f69b7bb 
This is a python counterpart of commit db6b3e0; /cc PR NixOS#180336

(cherry picked from commit add0201)
@vcunat
Copy link
Member

vcunat commented Jul 13, 2022

  • Another gpgme test regressed on i686-linux (only, so probably not important):
********* Start testing of AddExistingSubkeyJobTest *********
Config: Using QtTest library 5.15.3, Qt 5.15.3 (i386-little_endian-ilp32 shared (dynamic) release build; by GCC 10.4.0), unknown unknown
PASS   : AddExistingSubkeyJobTest::initTestCase()
PASS   : AddExistingSubkeyJobTest::testAddExistingSubkeyAsync()
PASS   : AddExistingSubkeyJobTest::testAddExistingSubkeySync()
FAIL!  : AddExistingSubkeyJobTest::testAddExistingSubkeyWithExpiration() 'result.code() == GPG_ERR_NO_ERROR' returned FALSE. ()
   Loc: [t-addexistingsubkey.cpp(216)]
PASS   : AddExistingSubkeyJobTest::cleanupTestCase()
Totals: 4 passed, 1 failed, 0 skipped, 0 blacklisted, 2058ms
********* Finished testing of AddExistingSubkeyJobTest *********
QTemporaryDir: Unable to remove "/build/t-addexistingsubkey-jLOarG" most likely due to the presence of read-only files.
FAIL: t-addexistingsubkey

https://hydra.nixos.org/log/s58rncd0idgzh5pmk8f6myb83fj471ww-gpgme-1.17.1.drv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alyssais alyssais Awaiting requested review from alyssais

@mweinelt mweinelt Awaiting requested review from mweinelt

@fpletz fpletz Awaiting requested review from fpletz

@vrthra vrthra Awaiting requested review from vrthra

@vcunat vcunat Awaiting requested review from vcunat

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@stigtsp @vcunat @DemiMarie @mweinelt

Comments