[Rpm-maint] [rpm-software-management/rpm] Reject signatures outside of signature header (#1503)
Panu Matilainen
notifications at github.com
Tue Feb 9 12:31:50 UTC 2021
I'm not very fond of the idea of banning tags based on their numbers, such a thing might have far-fetched, unwanted consequences. At any rate, the range here is too wide, the signature range is from HEADER_SIGBASE to HEADER_TAGBASE-1.
I think I'd rather approach this from the angle that signature or hash over itself cannot possibly be correct.
Like maybe actually have rpm look for signatures and digests in the main header too, around the point where it goes fishing for payload digests from there. It already knows which tags are legit there ('sigh' in the rpmvfyitems table), so it wouldn't need to actually access the data because we can just flag it invalid.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1503#issuecomment-775903622
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210209/abd69c49/attachment.html>
More information about the Rpm-maint
mailing list