pld rpm 5.4.17

Jeffrey Johnson n3npq at me.com
Sat Mar 4 21:59:24 CET 2017


> On Mar 4, 2017, at 4:17 AM, Jakub Bogusz <qboosh at pld-linux.org> wrote:
>> 
>> 
>> The variable il is derived and may be tainted, while off and nb are de facto positioning
>> within the header memory blob. And yes, it may not matter.
> 
> il is already used earlier to calculate dataStart. And length of the
> whole data (pvlen).
> 

Yes. Please note “And yes it may not matter.” I’m absolutely sure your analysis is
sound, just perhaps there is more to do.

>> Meanwhile the entire issue is rather obscure, and only testing will tell.
>> Is there any information about what header???s are failing headerCopyLoad()?
>> If those headers are public keys, then the real flaw is elsewhere, wrapping
>> a public key within an immutable region, with an appended SHA1.
> 
> No, these are two packages.
> I'm attaching whole db data of one of them (partially described by me
> during investigation).
> 

Thank you.

Please be patient while I do forensics to understand where the regression/flaw
entered into 5.4.17.

For starters (after reading the dump, decoding the hex is next):

There is no appended signature tag in the dump you sent.

That basically means that those headers were not produced by any version of RPM5
in the last 5-6y, all headers are signed, and some signature tag SHOULD have been appended.

I will know more from examining RPMTAG_RPMVERSION and other build tracking tags …

… it will take a bit of digging to find the root cause.

Meanwhile, by all means, apply your patch if it works for PLD. I’m just trying
not to flip-flop-flip-flop patches upstream until I understand fully what the problem
is and what needs to be done.

hth

73 de Jeff


More information about the pld-devel-en mailing list