[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rpmlib app security



would it reasonable for me to modify rpmchecksig.c to bail unless at
least 1 headerIsEntry(sigh, RPMSIGTAG_GPG), md5 checks out, size is
good, and rpmVerifySignature == 0?  i want to bail as early in the
process as possible if these conditions are not met by the inbound
package, and that looked like a good place to do it.

this assumes that there is only trusted gpg_pubkeys on the ring.

this is an helper-app only installation of rpm, so i don't have to worry
about user package installation, rpmbuild versioning or backwards compat
folklore with signatures. i'm just wondering if those changes would
break anything else down the chain.

thanks again for your input on this - i know it must be a hassle dealing
with all the nutty ways people want break your code, and i do appreciate
it :)

-star

On Fri, 2003-06-27 at 13:03, Jeff Johnson transmuted kinetic energy into
the following digital glyphs:

> On Fri, Jun 27, 2003 at 12:51:23PM -0700, Star Morin wrote:
> > 
> > > There is also incomplete enforcement of "stop right now" when DSA fails
> > > to verify for random packages sucked into a setuid application that links
> > > rpmlib.
> > 
> > can you please expand on this point?   this *is* my current hurdle /
> > concern.
> >  
> 
> There's not much to expand upon, failure to verify is a warning and
> a return code that either
> 	a) cannot be returned (becaquse of legacy API issues)
> 	b) is not checked (because new stuff) by application properly
> 
> The task of trusting package input has been the responsibility of applications,
> not rpmlib, historically. Retrofitting a mandatory and trusted signature check
> does not happen over night.
> 
> FWIW, signature checking returns are overloaded in the rpmRC enum, starting to
> be used most everywhere. Only the python bindings "Get it right." AFAIK, and
> that involves throwing an exception, not what most python heads are checking
> for, most are just disabling signature checks for speed.
> 
> 73 de Jeff
> 
> -- 
> Jeff Johnson	ARS N3NPQ
> jbj@redhat.com (jbj@jbj.org)
> Chapel Hill, NC
> 
> 
> _______________________________________________
> Rpm-list mailing list
> Rpm-list@redhat.com
> https://www.redhat.com/mailman/listinfo/rpm-list

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []