[Rpm-maint] [rpm-software-management/rpm] Remove the internal OpenPGP parser (Issue #2414)

Demi Marie Obenour notifications at github.com
Thu Mar 9 18:27:23 UTC 2023


If RPM goes this route, it should keep a small part of the internal parser.  Specifically, it should keep the checks that the signature is a single OpenPGP signature packet of the correct type.  This is a workaround for a known and unfixed denial-of-service vulnerability in GnuPG that I reported back in 2022, and should not increase the maintenance burden significantly.  It also ensures consistency with the Sequoia implementation, which has a much stricter parser than GnuPG has.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2414#issuecomment-1462566447
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2414/1462566447 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230309/76f6bd70/attachment.html>


More information about the Rpm-maint mailing list