-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gnupg: add patch disallowing compressed signatures and certificates #180336
gnupg: add patch disallowing compressed signatures and certificates #180336
Conversation
This patch broke tests of EDIT: the log is a little messy, so let me post the relevant part:
|
Ok, would need to look into the test and see if it can be skipped. Unfortunately, I can't work on this today :-/ |
So, it seems very likely that it's the test's fault, not an oversight in the patch? |
Yes, i believe so. Have confirmed that the patch fixes the problem described by the author, i.e. rejecting the problematic signature. |
/cc PR #180336 I'm not entirely sure about this, as I couldn't spend much time, but it seemed plausible that the patch caused a different kind of errors in this tested case - though it's possible I messed the test up. Either way, the tests seem to pass now, unblocking the CVE fixes ;-)
OK, for now: db6b3e0 |
Eww, with 1fc7604 |
Hi @DemiMarie! Thx for posting about the recent issues with GnuPG on oss-sec. Just CCing you on this issue as the patch seems to break tests in |
You’re welcome! I should probably fix the cleartext signature case at some point too.
It does look reasonable, but for a security patch a better approach might be to use BAD_DATA instead of UNEXPECTED elsewhere in the code. |
/cc PR NixOS#180336 I'm not entirely sure about this, as I couldn't spend much time, but it seemed plausible that the patch caused a different kind of errors in this tested case - though it's possible I messed the test up. Either way, the tests seem to pass now, unblocking the CVE fixes ;-) (cherry picked from commit db6b3e0)
This is a python counterpart of commit db6b3e0; /cc PR NixOS#180336 (cherry picked from commit add0201)
https://hydra.nixos.org/log/s58rncd0idgzh5pmk8f6myb83fj471ww-gpgme-1.17.1.drv |
Description of changes
Adds a patch by Demi Marie Obenour that disallows compressed signatures and certificates to prevent DoS attacks.
https://seclists.org/oss-sec/2022/q3/9
https://seclists.org/oss-sec/2022/q3/27
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes