Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
fwupd.15879
CVE-2020-10759.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-10759.patch of Package fwupd.15879
From 21f2d12fccef63b8aaa99ec53278ce18250b0444 Mon Sep 17 00:00:00 2001 From: Richard Hughes <richard@hughsie.com> Date: Thu, 28 May 2020 16:42:18 +0100 Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one signature If a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list. Explicitly check for no signatures present to avoid returning a FuKeyringResult with no timestamp and an empty authority. Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and coordinated disclosure of this issue. Fixes CVE-2020-10759 --- src/fu-keyring-gpg.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c index f06449cf..15d6e2c3 100644 --- a/src/fu-keyring-gpg.c +++ b/src/fu-keyring-gpg.c @@ -297,6 +297,13 @@ fu_keyring_gpg_verify_data (FuKeyring *keyring, "no result record from libgpgme"); return NULL; } + if (result->signatures == NULL) { + g_set_error_literal (error, + FWUPD_ERROR, + FWUPD_ERROR_INTERNAL, + "no signatures from libgpgme"); + return NULL; + } /* look at each signature */ for (s = result->signatures; s != NULL ; s = s->next ) { -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor