[Rpm-maint] [rpm-software-management/rpm] rpm segfaults when importing keys downloaded from keys.openpgp.org (Issue #3001)

Panu Matilainen notifications at github.com
Tue Apr 2 10:51:37 UTC 2024


Right, this is specific to the internal pgp parser. With rpm-sequoia I get:

> $ tools/rpmkeys --dbpath /tmp/kdb --import /tmp/2596A99EAAB33821893C0A79458CA832957F5868
error: Certificate 458CA832957F5868:
  Policy rejects 458CA832957F5868: No binding signature at time 2024-04-02T10:42:20Z
error: /tmp/2596A99EAAB33821893C0A79458CA832957F5868: key 1 import failed.

but easy enough to reproduce with the old parser. This is enough prevents the crash:

```
--- a/rpmio/rpmpgp_internal.c
+++ b/rpmio/rpmpgp_internal.c
@@ -1079,6 +1079,8 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
 
            digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
            /* Copy UID from main key to subkey */
+           if (!mainkey->userid)
+               break;
            digps[count]->userid = xstrdup(mainkey->userid);
 
            if (getKeyID(pkt.body, pkt.blen, digps[count]->signid)) {
```

It wont import the key, but if main userid is missing in the key then maybe it shouldn't.
The internal parser is now gone from the upstream rpm repo but it's of course still there in 4.19.x. @mlschroe, do you want to have a closer look or just go with something like the above as minimal bandaid?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3001#issuecomment-2031682692
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3001/2031682692 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240402/0a3a024e/attachment-0001.html>


More information about the Rpm-maint mailing list