[Rpm-maint] [rpm-software-management/rpm] Fix IMA signature lengths assumed constant (#1833, RhBug:2018937) (PR #1844)

Panu Matilainen notifications at github.com
Fri Nov 26 10:40:07 UTC 2021


ECDSA signatures can vary in length, but the IMA code assumes constant
lengths and thus may either place invalid signatures on disk from
either truncating or overshooting, and segfault if the stars are just
so.

Luckily the signatures are stored as strings so we can calculate the
actual lengths at runtime and ignore the stored constant length info.
Extend hex2bin() to optionally calculate the lengths and maximum,
and use these for returning IMA data from the rpmfi(les) API.

Additionally update the signing code to store the largest IMA signature
length rather than what happened to be last to be on the safe side.
We can't rely on this value due to invalid packages being out there,
but then we need to calculate the lengths on rpmfiles populate so there's
not a lot to gain anyhow.

Fixes: #1833
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/1844

-- Commit Summary --

  * Fix IMA signature lengths assumed constant (#1833, RhBug:2018937)

-- File Changes --

    M lib/rpmfi.c (43)
    M sign/rpmsignfiles.c (5)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/1844.patch
https://github.com/rpm-software-management/rpm/pull/1844.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1844
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20211126/fec7f19d/attachment-0001.html>


More information about the Rpm-maint mailing list