FS#27453 - repo-add allows adding bogus signature files

Attached to Project: Pacman
Opened by Dave Reisner (falconindy) - Monday, 05 December 2011, 04:38 GMT
Last edited by Dan McGee (toofishes) - Wednesday, 07 December 2011, 16:07 GMT
Task Type Bug Report
Category Scripts & Tools
Status Closed
Assigned To Dan McGee (toofishes)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version git
Due in Version 4.0.2
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Daenyth broke community tonight by submitting a signature generated via gpg --sign (without --detach-sign). The resulting desc file is over 1MiB in size. When parsing this file, pacman throws the error:

error: could not parse package description file 'tremulous-1.1.0-8/desc' from db 'community'

which isn't actually the case. The description is very much intact -- the signature is what failed parsing:

Repository : community
Name : tremulous
Version : 1.1.0-8
URL : None
Licenses : None
Groups : None
Provides : tremulous-updated=1.1.0-8
Depends On : sdl openal>=1.7.411 libgl tremulous-data=1.1.0 freetype2
Optional Deps : None
Conflicts With : tremulous-updated
Replaces : None
Download Size : 933.18 KiB
Installed Size : 2937.00 KiB
Packager : None
Architecture : None
Build Date : None
MD5 Sum : c18c6980c471fe785bc5ff169ec66902
SHA256 Sum : e30d3b5054187ec58c4bdded7681cb8de83f5d595ee2eaab5f5c2f70eb68364f
Signatures : None
Description : A free team based FPS/RTS hybrid built on the ioq3 engine. Includes community updates.

The "broken" tarball is attached.
   community.db (1.84 MiB)
This task depends upon

Closed by  Dan McGee (toofishes)
Wednesday, 07 December 2011, 16:07 GMT
Reason for closing:  Fixed
Additional comments about closing:  Sanity check on size of .sig file added in commit 17e0be9e6a
Comment by Gavin Bisesi (Daenyth) - Monday, 05 December 2011, 04:42 GMT
I admit nothing! You can't prove it was me who did that!

Oh damn.. stupid gpg signatures...
Comment by Dave Reisner (falconindy) - Monday, 05 December 2011, 04:45 GMT
I must be smoking things. This is fine. package description _file_, not package description.
Comment by Dan McGee (toofishes) - Monday, 05 December 2011, 15:20 GMT
I'm going to disagree with closing this:

1) We can sanity check in repo-add on the .sig file using a similar size cutoff as we do in pacman when downloading signatures.
2) We might be able to do a sanity check on the .sig file contents itself to ensure it is a signature file.

I am glad to see we didn't segfault or anything here, that means the archive line reading code is actually working correctly.

Gavin, did you manually move the .gpg file to .sig, or how did this mixup happen?
Comment by Gavin Bisesi (Daenyth) - Monday, 05 December 2011, 15:28 GMT
Yup, that's what I did...

Loading...