[PATCH] Fix a GPG validation bug.
John Wright
jsw at debian.org
Wed Aug 27 21:00:20 UTC 2014
From: John Wright <jsw at google.com>
With some trailing whitespace, the code could be tricked into validating
a signature, but using the bogus data after the signed section.
Adds a test case.
Closes: #695932
---
debian/changelog | 6 ++++
lib/debian/deb822.py | 3 +-
tests/test_Dsc.badsig | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++
tests/test_deb822.py | 11 ++++++++
4 files changed, 97 insertions(+), 1 deletion(-)
create mode 100644 tests/test_Dsc.badsig
diff --git a/debian/changelog b/debian/changelog
index a33bdff..78d0d26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
python-debian (0.1.23) UNRELEASED; urgency=medium
+ [ Stuart Prescott ]
* Add sha512 sums to Release and Sources (Closes: #732599).
* Use warnings rather than stderr in PkgRelation (Closes: #712513).
* Expose the list of bugs closed by a changelog entry; thanks to Jelmer Vernooi
@@ -15,6 +16,11 @@ python-debian (0.1.23) UNRELEASED; urgency=medium
multi-arch related relationships (Closes: #670679)
* Parse build-profiles syntax.
+ [ John Wright ]
+ * Fix a GPG validation bug. With some trailing whitespace, the code
+ could be tricked into validating a signature, but using the bogus
+ data after the signed section (Closes: #695932).
+
-- Stuart Prescott <stuart at debian.org> Fri, 13 Jun 2014 00:27:59 +1000
python-debian (0.1.22) unstable; urgency=low
diff --git a/lib/debian/deb822.py b/lib/debian/deb822.py
index 9ed86d6..b40fd38 100644
--- a/lib/debian/deb822.py
+++ b/lib/debian/deb822.py
@@ -7,6 +7,7 @@
# Copyright (C) 2006-2010 John Wright <john at johnwright.org>
# Copyright (C) 2006 Adeodato Simó <dato at net.com.org.es>
# Copyright (C) 2008 Stefano Zacchiroli <zack at upsilon.cc>
+# Copyright (C) 2014 Google, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -631,7 +632,7 @@ class Deb822(Deb822Dict):
lines = []
gpg_post_lines = []
state = b'SAFE'
- gpgre = re.compile(br'^-----(?P<action>BEGIN|END) PGP (?P<what>[^-]+)-----$')
+ gpgre = re.compile(br'^-----(?P<action>BEGIN|END) PGP (?P<what>[^-]+)-----\s*$')
# Include whitespace-only lines in blank lines to split paragraphs.
# (see #715558)
blank_line = re.compile(b'^\s*$')
diff --git a/tests/test_Dsc.badsig b/tests/test_Dsc.badsig
new file mode 100644
index 0000000..8a062bd
--- /dev/null
+++ b/tests/test_Dsc.badsig
@@ -0,0 +1,78 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Format: 1.0
+Source: at
+Binary: at
+Architecture: any
+Version: 3.1.15-1
+Maintainer: Ansgar Burchardt <ansgar at debian.org>
+Standards-Version: 3.9.5
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/at.git
+Vcs-Git: git://anonscm.debian.org/collab-maint/at.git
+Build-Depends: debhelper (>= 9), autotools-dev, bison, flex, libpam0g-dev, perl (>= 5.10.1), dh-systemd
+Package-List:
+ at deb admin standard arch=any
+Checksums-Sha1:
+ 658840da37ee83fc81139b007cb4895abacb8b93 122968 at_3.1.15.orig.tar.gz
+ bd780f3e71a0751b65dfe3b10f9045cabba0f1e8 10154 at_3.1.15-1.diff.gz
+Checksums-Sha256:
+ 03a84f5293d5a95ef4231b7faf5578f141f0c76a2b304dd655bc7e90e97bf7fc 122968 at_3.1.15.orig.tar.gz
+ adf292bc0e733cc636822209cc1f7fa7102c5fc605f25f11dbda20e0d917cd90 10154 at_3.1.15-1.diff.gz
+Files:
+ f0f96db22e3a174b53ce4beeeb848839 122968 at_3.1.15.orig.tar.gz
+ 17846853a08753b886558d34d5dba1ac 10154 at_3.1.15-1.diff.gz
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBCgAGBQJT52GxAAoJEIATJTTdNH3I/2oP/jf/C1kNi6iYrzUyybq8uXzf
+WemTGCyNUaekM9oaYD+55RrO+GT0/2P0qnnZ+JN9dSl2/qK1EdDWu/umO69d6gVi
+eRN3iP1zoiMuaIHS6JQk8J4sdDDrjrwQUkJ8Kulech80rLJUluccPRPzKZcW9uJX
+MCfsGCgouH5RPybs91AgOQCO++W9ZlILZaZdQlnArJJlE+TGaKbFKg4h7hEWAWzT
+YM34Ibz4O1v/a6qByjVZ8QNWdCFYThMI3QKRCIpw1SIklJOEwaKuwbej101J8yw+
+6Lse0uxkTI3KvpHpcozDpXrNpPMVNlwjOYtrKHTug8GqHNnImlYKJ3jKueICRNfu
+C4nQbCBQgMyEnd9Z9nF7T53aWKDENdjtctLZ9BX+mJgt/9rHQHWQ5q9pxKAb2+xU
+64MXvubFMwE7SlJIei4E1bGw7qgnTnVZKy63J1MgrHvp4nWtTKGxecMk81yye7kv
+k1RTlczN8gOryZ3xNTsL3Nl0XBhsz2CnUkD7LnBqIgdMd2Jf7pJ5Nmo57kibybNR
+Xz+zd3mxLqC+TPGTeqW0UTCR5ERyhxQeFV1NVQ+8EipKt940fsQgaWhrW9qOVWhl
+2rJYNIzPt/fRRfPptZS9zyix7/SFzlLdqbsfAV5wIwJtEjrUDeejOziaQXJVoWeM
+eLphaSC5wKKMMWb4OJf4
+=sf7s
+-----END PGP SIGNATURE-----
+
+Format: 3.0 (quilt)
+Source: gnupg
+Binary: gnupg, gnupg-curl, gpgv, gnupg-udeb, gpgv-udeb, gpgv-win32
+Architecture: any all
+Version: 1.4.12-6
+Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint at lists.alioth.debian.org>
+Uploaders: Sune Vuorela <debian at pusling.com>, Daniel Leidert <dleidert at debian.org>, Thijs Kinkhorst <thijs at debian.org>
+Homepage: http://www.gnupg.org
+Standards-Version: 3.9.3
+Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
+Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
+Build-Depends: debhelper (>> 7), libz-dev, libldap2-dev, libbz2-dev, libusb-dev [!hurd-i386], libreadline-dev, file, gettext, libcurl4-gnutls-dev
+Build-Depends-Indep: mingw-w64
+Package-List:
+ gnupg deb utils important
+ gnupg-curl deb utils optional
+ gnupg-udeb udeb debian-installer extra
+ gpgv deb utils important
+ gpgv-udeb udeb debian-installer extra
+ gpgv-win32 deb utils extra
+Checksums-Sha1:
+ 790587e440ec7d429b120db7a96a237badc638fd 4939171 gnupg_1.4.12.orig.tar.gz
+ ad9793124c400ca7e858291155b42b53ee87d2d4 92008 gnupg_1.4.12-6.debian.tar.gz
+Checksums-Sha256:
+ bb94222fa263e55a5096fdc1c6cd60e9992602ce5067bc453a4ada77bb31e367 4939171 gnupg_1.4.12.orig.tar.gz
+ 2d146235f3ff89f119849d34f455ba659c0e0dd0c08693305bac56a33dfe5978 92008 gnupg_1.4.12-6.debian.tar.gz
+Files:
+ f9a65ccd7166d3fdb084454cf7427564 4939171 gnupg_1.4.12.orig.tar.gz
+ e23c2823d4105bfd4597fa4d1c88a87d 92008 gnupg_1.4.12-6.debian.tar.gz
+
+-----END PGP NOSIGNATURE-----
+Version: vim v7.3.547 (GNU/Linux)
+
+Signed and approved.
+-----END PGP NOSIGNATURE-----
diff --git a/tests/test_deb822.py b/tests/test_deb822.py
index b2143a0..50703ea 100755
--- a/tests/test_deb822.py
+++ b/tests/test_deb822.py
@@ -426,6 +426,17 @@ class TestDeb822(unittest.TestCase):
self.assertEqual(result['VALIDSIG'], valid['VALIDSIG'])
self.assertEqual(result['SIG_ID'][1:], valid['SIG_ID'][1:])
+ def test_gpg_info2(self):
+ if not (os.path.exists('/usr/bin/gpgv') and
+ os.path.exists('/usr/share/keyrings/debian-keyring.gpg')):
+ return
+
+ with open('test_Dsc.badsig', mode='rb') as f:
+ dsc = deb822.Dsc(f)
+ i = dsc.get_gpg_info()
+ self.assertTrue(i.valid())
+ self.assertEqual('at', dsc['Source'])
+
def test_iter_paragraphs_array(self):
text = (UNPARSED_PACKAGE + '\n\n\n' + UNPARSED_PACKAGE).splitlines()
--
2.1.0
More information about the pkg-python-debian-maint
mailing list