[Rpm-maint] [rpm-software-management/rpm] Validate self-signatures and require subkey bindings on PGP public keys (#1788)

Demi Marie Obenour notifications at github.com
Sat Feb 5 17:17:36 UTC 2022


> Hi
> Can you backport those fixes to rpm-4.16.x?
> We need them for fixing the CVE in Mageia 8 (and probably other distributions).
> Thanks
> b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 & 9f03f42e2614a68f589f9db8fe76287146522c0c apply cleanly.
> But not bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 since there's been refactoring between 4.16 & 4.17

The OpenPGP packet parser has had a lot of hardening between 4.16 and 4.17, and I suggest backporting most of the changes to it.  daeddb01de50c53b98eae75e11234132ae63538a adds a check that b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 removed, and there are other commits that fix various undefined behaviors.  I suggest backporting all of the commits in https://github.com/rpm-software-management/rpm/commits/714e606558b4517bd2d02d03a0ddad7da79a58c6/rpmio/rpmpgp.c.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1788#issuecomment-1030662927
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1788/c1030662927 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220205/e2860124/attachment.html>


More information about the Rpm-maint mailing list