On Fri, 2012-12-14 at 15:47:57 +0100, Ansgar Burchardt wrote:
> On 12/14/2012 02:51 PM, Guillem Jover wrote:
> >> This happens as Dpkg::Control::Hash skips until an empty line:
> >>
> >> 145 } elsif (m/^-----BEGIN PGP SIGNED MESSAGE/) {
> >> 146 $expect_pgp_sig = 1;
> >> 147 if ($$self->{'allow_pgp'}) {
> >> 148 # Skip PGP headers
> >> 149 while (<$fh>) {
> >> 150 last if m/^$/;
> >> 151 }
> >>
> >> However one can add trailing whitespace without breaking the signature
> >> causing
> >> the code to skip until the second section.
> >
> > Nice catch! I'm preparing a tiny fix, and I'm going over RFC4880 to see
> > if there's any other issues to take care of. Will most probably ask the
> > RT if they'd be fine including such fix for wheezy.
>
> There are quite a lot of them. Other fun things to abuse include the
> wrong markers in line 145 or dash-escaping text.
I had gone over the RFC, and as you note, the other problem I've spotted
is wrongly matched Armor Header Line (missing dashes and possible
whitespace before EOL). I don't see how dash-escaped text can be an
issue, as gpg would not consider it an Armor Header Line.
> Sadly I'm not sure of a painless way to safely extract the data that gpg
> (gpgv) actually checked the signature for: gpgv has no option for this
> and with gpg you only get the output when using something other than
> --verify, but then you have to check the output on --status-fd for the
> existance of a valid signature :/
I've fixed those locally now, and will do some more testing later
today. The RFC is pretty clear on how to parse this so I don't think
it's that painful.
> I did file a wishlist request against gnupg to provide an option that
> outputs the data as well as checking the signature (#695855).
Even if such new feature would get implemented, adding a versioned
dependency on it would be a bit harsh.
> As I found this problem in quite a lot of packages, I'll probably write
> a mail to d-devel later. Maybe somebody else has a better idea how to
> address this problem.
I think parsers just need to be fixed as specified in RFC4880.
Thanks,
Guillem
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
