FS#27453 - repo-add allows adding bogus signature files
Attached to Project:
Pacman
Opened by Dave Reisner (falconindy) - Monday, 05 December 2011, 04:38 GMT
Last edited by Dan McGee (toofishes) - Wednesday, 07 December 2011, 16:07 GMT
Opened by Dave Reisner (falconindy) - Monday, 05 December 2011, 04:38 GMT
Last edited by Dan McGee (toofishes) - Wednesday, 07 December 2011, 16:07 GMT
|
Details
Daenyth broke community tonight by submitting a signature
generated via gpg --sign (without --detach-sign). The
resulting desc file is over 1MiB in size. When parsing this
file, pacman throws the error:
error: could not parse package description file 'tremulous-1.1.0-8/desc' from db 'community' which isn't actually the case. The description is very much intact -- the signature is what failed parsing: Repository : community Name : tremulous Version : 1.1.0-8 URL : None Licenses : None Groups : None Provides : tremulous-updated=1.1.0-8 Depends On : sdl openal>=1.7.411 libgl tremulous-data=1.1.0 freetype2 Optional Deps : None Conflicts With : tremulous-updated Replaces : None Download Size : 933.18 KiB Installed Size : 2937.00 KiB Packager : None Architecture : None Build Date : None MD5 Sum : c18c6980c471fe785bc5ff169ec66902 SHA256 Sum : e30d3b5054187ec58c4bdded7681cb8de83f5d595ee2eaab5f5c2f70eb68364f Signatures : None Description : A free team based FPS/RTS hybrid built on the ioq3 engine. Includes community updates. The "broken" tarball is attached. |
This task depends upon
Closed by Dan McGee (toofishes)
Wednesday, 07 December 2011, 16:07 GMT
Reason for closing: Fixed
Additional comments about closing: Sanity check on size of .sig file added in commit 17e0be9e6a
Wednesday, 07 December 2011, 16:07 GMT
Reason for closing: Fixed
Additional comments about closing: Sanity check on size of .sig file added in commit 17e0be9e6a
Oh damn.. stupid gpg signatures...
1) We can sanity check in repo-add on the .sig file using a similar size cutoff as we do in pacman when downloading signatures.
2) We might be able to do a sanity check on the .sig file contents itself to ensure it is a signature file.
I am glad to see we didn't segfault or anything here, that means the archive line reading code is actually working correctly.
Gavin, did you manually move the .gpg file to .sig, or how did this mixup happen?