[Rpm-maint] [rpm-software-management/rpm] Individual sizes of Verity signatures get lost in base2bin and though rpmfi (Issue #1984)

Demi Marie Obenour notifications at github.com
Mon Jul 18 13:24:36 UTC 2022


> Well, after having a look my conclusion is memory usage is not the issue here. The issue is we are loosing the information on the actual individual signature sizes. Luckily the API supports individual sizes per signature and just the internal data structures need some work.

It actually is a problem.  The verity signatures are stored (unauthenticated) in the signature header and so this is a denial of service risk.  Consider the case of a bunch of tiny signatures and one huge one.  The current code will allocate memory as if all of the signatures were huge, and that can cause an out-of-memory condition.

A better fix would be to make package signing a two-step process:

1. Add IMA and fsverity signatures to a package, creating a new package.
2. Sign the new package.

But this would break backwards compatibility so it would need to go in 6.0.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1984#issuecomment-1187419914
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/1984/1187419914 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220718/8ae5386c/attachment.html>


More information about the Rpm-maint mailing list