[Rpm-maint] [rpm-software-management/rpm] Fix handling of bad IMA and fsverity signatures (PR #1913)

Demi Marie Obenour notifications at github.com
Mon Feb 7 00:12:55 UTC 2022


This is based on #1900, but it includes additional protections.  #1900 just contains the security fix, whereas this PR also prevents RPM from crashing and/or leaking memory.
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/1913

-- Commit Summary --

  * Add rmallocarray()
  * Fix IMA signature lengths assumed constant (again)
  * Impose a limit on hex2bin() memory allocs
  * Avoid calling memcpy() on NULL
  * Fix inverted logic in base2bin()
  * Limit the amount of memory base2bin() will allocate
  * Fix memory leak if base64 decoding fails

-- File Changes --

    M lib/rpmfi.c (46)
    M rpmio/rpmmalloc.c (13)
    M rpmio/rpmutil.h (3)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/1913.patch
https://github.com/rpm-software-management/rpm/pull/1913.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1913
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1913 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220206/5e200eb8/attachment.html>


More information about the Rpm-maint mailing list