gnupg: add patch disallowing compressed signatures and certificates#180336
Conversation
|
This patch broke tests of EDIT: the log is a little messy, so let me post the relevant part: |
Ok, would need to look into the test and see if it can be skipped. Unfortunately, I can't work on this today :-/ |
|
So, it seems very likely that it's the test's fault, not an oversight in the patch? |
|
Yes, i believe so. Have confirmed that the patch fixes the problem described by the author, i.e. rejecting the problematic signature. |
/cc PR #180336 I'm not entirely sure about this, as I couldn't spend much time, but it seemed plausible that the patch caused a different kind of errors in this tested case - though it's possible I messed the test up. Either way, the tests seem to pass now, unblocking the CVE fixes ;-)
|
OK, for now: db6b3e0 |
|
Eww, with 1fc7604 |
|
Hi @DemiMarie! Thx for posting about the recent issues with GnuPG on oss-sec. Just CCing you on this issue as the patch seems to break tests in |
You’re welcome! I should probably fix the cleartext signature case at some point too.
It does look reasonable, but for a security patch a better approach might be to use BAD_DATA instead of UNEXPECTED elsewhere in the code. |
/cc PR NixOS#180336 I'm not entirely sure about this, as I couldn't spend much time, but it seemed plausible that the patch caused a different kind of errors in this tested case - though it's possible I messed the test up. Either way, the tests seem to pass now, unblocking the CVE fixes ;-) (cherry picked from commit db6b3e0)
This is a python counterpart of commit db6b3e0; /cc PR NixOS#180336 (cherry picked from commit add0201)
https://hydra.nixos.org/log/s58rncd0idgzh5pmk8f6myb83fj471ww-gpgme-1.17.1.drv |
Description of changes
Adds a patch by Demi Marie Obenour that disallows compressed signatures and certificates to prevent DoS attacks.
https://seclists.org/oss-sec/2022/q3/9
https://seclists.org/oss-sec/2022/q3/27
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes