Browse Source

Merge branch 'bugfix/reportbinarysig' into '1.8.y'

Add explicit message for unsupported binary signature

See merge request apt-team/apt!52
tags/devuan/2.0.1+devuan1
Julian Andres Klode 1 year ago
parent
commit
6f0b526989
2 changed files with 38 additions and 2 deletions
  1. +16
    -2
      apt-pkg/contrib/gpgv.cc
  2. +22
    -0
      test/integration/test-bug-921685-binary-detached-signature

+ 16
- 2
apt-pkg/contrib/gpgv.cc View File

@@ -297,10 +297,24 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
}
if (found_signatures == 0 && statusfd != -1)
{
// This is not an attack attempt but a file even gpgv would complain about
// likely the result of a paywall which is covered by the gpgv method
auto const errtag = "[GNUPG:] NODATA\n";
FileFd::Write(fd[1], errtag, strlen(errtag));
// guess if this is a binary signature, we never officially supported them,
// but silently accepted them via passing them unchecked to gpgv
if (found_badcontent)
{
rewind(detached.get());
auto ptag = fgetc(detached.get());
// §4.2 says that the first bit is always set and gpg seems to generate
// only old format which is indicated by the second bit not set
if (ptag != EOF && (ptag & 0x80) != 0 && (ptag & 0x40) == 0)
{
apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' is in unsupported binary format", FileGPG.c_str());
local_exit(112);
}
}
// This is not an attack attempt but a file even gpgv would complain about
// likely the result of a paywall which is covered by the gpgv method
local_exit(113);
}
else if (found_badcontent)


+ 22
- 0
test/integration/test-bug-921685-binary-detached-signature View File

@@ -0,0 +1,22 @@
#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"
setupenvironment
configarchitecture 'amd64'

insertpackage 'unstable' 'foo' 'all' '1'

buildaptarchive
setupdistsaptarchive

for RELEASE in $(find aptarchive -name 'Release'); do
# note the missing --armor
dosigning "keys/joesixpack" --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
done

testfailure apt show foo
testfailure aptget update
testsuccess grep 'W: .* Detached signature file .* is in unsupported binary format' rootdir/tmp/testfailure.output
testfailure apt show foo

Loading…
Cancel
Save