[PATCH] Fix a GPG validation bug.

John Wright jsw at debian.org
Wed Aug 27 21:00:20 UTC 2014 

From: John Wright <jsw at google.com>

With some trailing whitespace, the code could be tricked into validating
a signature, but using the bogus data after the signed section.

Adds a test case.

Closes: #695932
---
 debian/changelog      |  6 ++++
 lib/debian/deb822.py  |  3 +-
 tests/test_Dsc.badsig | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/test_deb822.py  | 11 ++++++++
 4 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 tests/test_Dsc.badsig

diff --git a/debian/changelog b/debian/changelog
index a33bdff..78d0d26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 python-debian (0.1.23) UNRELEASED; urgency=medium
 
+  [ Stuart Prescott ]
   * Add sha512 sums to Release and Sources (Closes: #732599).
   * Use warnings rather than stderr in PkgRelation (Closes: #712513).
   * Expose the list of bugs closed by a changelog entry; thanks to Jelmer Vernooi
@@ -15,6 +16,11 @@ python-debian (0.1.23) UNRELEASED; urgency=medium
     multi-arch related relationships (Closes: #670679)
   * Parse build-profiles syntax.
 
+  [ John Wright ]
+  * Fix a GPG validation bug.  With some trailing whitespace, the code
+    could be tricked into validating a signature, but using the bogus
+    data after the signed section (Closes: #695932).
+
  -- Stuart Prescott <stuart at debian.org>  Fri, 13 Jun 2014 00:27:59 +1000
 
 python-debian (0.1.22) unstable; urgency=low
diff --git a/lib/debian/deb822.py b/lib/debian/deb822.py
index 9ed86d6..b40fd38 100644
--- a/lib/debian/deb822.py
+++ b/lib/debian/deb822.py
@@ -7,6 +7,7 @@
 # Copyright (C) 2006-2010  John Wright <john at johnwright.org>
 # Copyright (C) 2006       Adeodato Simó <dato at net.com.org.es>
 # Copyright (C) 2008       Stefano Zacchiroli <zack at upsilon.cc>
+# Copyright (C) 2014       Google, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -631,7 +632,7 @@ class Deb822(Deb822Dict):
         lines = []
         gpg_post_lines = []
         state = b'SAFE'
-        gpgre = re.compile(br'^-----(?P<action>BEGIN|END) PGP (?P<what>[^-]+)-----$')
+        gpgre = re.compile(br'^-----(?P<action>BEGIN|END) PGP (?P<what>[^-]+)-----\s*$')
         # Include whitespace-only lines in blank lines to split paragraphs.
         # (see #715558)
         blank_line = re.compile(b'^\s*$')
diff --git a/tests/test_Dsc.badsig b/tests/test_Dsc.badsig
new file mode 100644
index 0000000..8a062bd
--- /dev/null
+++ b/tests/test_Dsc.badsig
@@ -0,0 +1,78 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+ 
+Format: 1.0
+Source: at
+Binary: at
+Architecture: any
+Version: 3.1.15-1
+Maintainer: Ansgar Burchardt <ansgar at debian.org>
+Standards-Version: 3.9.5
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/at.git
+Vcs-Git: git://anonscm.debian.org/collab-maint/at.git
+Build-Depends: debhelper (>= 9), autotools-dev, bison, flex, libpam0g-dev, perl (>= 5.10.1), dh-systemd
+Package-List:
+ at deb admin standard arch=any
+Checksums-Sha1:
+ 658840da37ee83fc81139b007cb4895abacb8b93 122968 at_3.1.15.orig.tar.gz
+ bd780f3e71a0751b65dfe3b10f9045cabba0f1e8 10154 at_3.1.15-1.diff.gz
+Checksums-Sha256:
+ 03a84f5293d5a95ef4231b7faf5578f141f0c76a2b304dd655bc7e90e97bf7fc 122968 at_3.1.15.orig.tar.gz
+ adf292bc0e733cc636822209cc1f7fa7102c5fc605f25f11dbda20e0d917cd90 10154 at_3.1.15-1.diff.gz
+Files:
+ f0f96db22e3a174b53ce4beeeb848839 122968 at_3.1.15.orig.tar.gz
+ 17846853a08753b886558d34d5dba1ac 10154 at_3.1.15-1.diff.gz
+ 
+-----BEGIN PGP SIGNATURE----- 
+Version: GnuPG v1
+ 
+iQIcBAEBCgAGBQJT52GxAAoJEIATJTTdNH3I/2oP/jf/C1kNi6iYrzUyybq8uXzf
+WemTGCyNUaekM9oaYD+55RrO+GT0/2P0qnnZ+JN9dSl2/qK1EdDWu/umO69d6gVi
+eRN3iP1zoiMuaIHS6JQk8J4sdDDrjrwQUkJ8Kulech80rLJUluccPRPzKZcW9uJX
+MCfsGCgouH5RPybs91AgOQCO++W9ZlILZaZdQlnArJJlE+TGaKbFKg4h7hEWAWzT
+YM34Ibz4O1v/a6qByjVZ8QNWdCFYThMI3QKRCIpw1SIklJOEwaKuwbej101J8yw+
+6Lse0uxkTI3KvpHpcozDpXrNpPMVNlwjOYtrKHTug8GqHNnImlYKJ3jKueICRNfu
+C4nQbCBQgMyEnd9Z9nF7T53aWKDENdjtctLZ9BX+mJgt/9rHQHWQ5q9pxKAb2+xU
+64MXvubFMwE7SlJIei4E1bGw7qgnTnVZKy63J1MgrHvp4nWtTKGxecMk81yye7kv
+k1RTlczN8gOryZ3xNTsL3Nl0XBhsz2CnUkD7LnBqIgdMd2Jf7pJ5Nmo57kibybNR
+Xz+zd3mxLqC+TPGTeqW0UTCR5ERyhxQeFV1NVQ+8EipKt940fsQgaWhrW9qOVWhl
+2rJYNIzPt/fRRfPptZS9zyix7/SFzlLdqbsfAV5wIwJtEjrUDeejOziaQXJVoWeM
+eLphaSC5wKKMMWb4OJf4
+=sf7s
+-----END PGP SIGNATURE----- 
+
+Format: 3.0 (quilt)
+Source: gnupg
+Binary: gnupg, gnupg-curl, gpgv, gnupg-udeb, gpgv-udeb, gpgv-win32
+Architecture: any all
+Version: 1.4.12-6
+Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint at lists.alioth.debian.org>
+Uploaders: Sune Vuorela <debian at pusling.com>, Daniel Leidert <dleidert at debian.org>, Thijs Kinkhorst <thijs at debian.org>
+Homepage: http://www.gnupg.org
+Standards-Version: 3.9.3
+Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
+Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
+Build-Depends: debhelper (>> 7), libz-dev, libldap2-dev, libbz2-dev, libusb-dev [!hurd-i386], libreadline-dev, file, gettext, libcurl4-gnutls-dev
+Build-Depends-Indep: mingw-w64
+Package-List:
+ gnupg deb utils important
+ gnupg-curl deb utils optional
+ gnupg-udeb udeb debian-installer extra
+ gpgv deb utils important
+ gpgv-udeb udeb debian-installer extra
+ gpgv-win32 deb utils extra
+Checksums-Sha1:
+ 790587e440ec7d429b120db7a96a237badc638fd 4939171 gnupg_1.4.12.orig.tar.gz
+ ad9793124c400ca7e858291155b42b53ee87d2d4 92008 gnupg_1.4.12-6.debian.tar.gz
+Checksums-Sha256:
+ bb94222fa263e55a5096fdc1c6cd60e9992602ce5067bc453a4ada77bb31e367 4939171 gnupg_1.4.12.orig.tar.gz
+ 2d146235f3ff89f119849d34f455ba659c0e0dd0c08693305bac56a33dfe5978 92008 gnupg_1.4.12-6.debian.tar.gz
+Files:
+ f9a65ccd7166d3fdb084454cf7427564 4939171 gnupg_1.4.12.orig.tar.gz
+ e23c2823d4105bfd4597fa4d1c88a87d 92008 gnupg_1.4.12-6.debian.tar.gz
+
+-----END PGP NOSIGNATURE-----
+Version: vim v7.3.547 (GNU/Linux)
+
+Signed and approved.
+-----END PGP NOSIGNATURE-----
diff --git a/tests/test_deb822.py b/tests/test_deb822.py
index b2143a0..50703ea 100755
--- a/tests/test_deb822.py
+++ b/tests/test_deb822.py
@@ -426,6 +426,17 @@ class TestDeb822(unittest.TestCase):
             self.assertEqual(result['VALIDSIG'], valid['VALIDSIG'])
             self.assertEqual(result['SIG_ID'][1:], valid['SIG_ID'][1:])
 
+    def test_gpg_info2(self):
+        if not (os.path.exists('/usr/bin/gpgv') and
+                os.path.exists('/usr/share/keyrings/debian-keyring.gpg')):
+            return
+
+        with open('test_Dsc.badsig', mode='rb') as f:
+            dsc = deb822.Dsc(f)
+            i = dsc.get_gpg_info()
+            self.assertTrue(i.valid())
+            self.assertEqual('at', dsc['Source'])
+
     def test_iter_paragraphs_array(self):
         text = (UNPARSED_PACKAGE + '\n\n\n' + UNPARSED_PACKAGE).splitlines()
 
-- 
2.1.0

More information about the pkg-python-debian-maint mailing list