[Rpm-maint] [rpm-software-management/rpm] Harden against crafted inputs (#1471)

Neal Gompa (ニール・ゴンパ) notifications at github.com
Wed Dec 30 03:28:23 UTC 2020


@Conan-Kudo requested changes on this pull request.



> @@ -169,8 +169,8 @@ rpmRC rpmpkgRead(struct rpmvs_s *vs, FD_t fd,
 	goto exit;
     }
 
-    /* Read the signature header. Might not be in a contiguous region. */
-    if (hdrblobRead(fd, 1, 0, RPMTAG_HEADERSIGNATURES, sigblob, &msg))
+    /* Read the signature header. Must be in a contiguous region. */
+    if (hdrblobRead(fd, 1, 1, RPMTAG_HEADERSIGNATURES, sigblob, &msg))

So, we deliberately changed this in https://github.com/rpm-software-management/rpm/commit/34c2ba3c6a80a778cdf2e42a9193b3264e08e1b3 to make it compatible with third-party RPMs that are not crafted by `rpmbuild`. I don't know if we want to revert this again...

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1471#pullrequestreview-559768788
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201229/9d0a7ac5/attachment.html>


More information about the Rpm-maint mailing list