https://sourceware.org/bugzilla/show_bug.cgi?id=28204
--- Comment #12 from Mark Wielaard <mark at klomp dot org> --- In config/profile.csh.in and config/profile.sh.in the prefix variable is explicitly set and no longer unset. Is that deliberate? In debuginfod_validate_imasig the file_data = malloc(data_len); depends on the (externally) given file size. It is then read in one pread call. And the whole buffer is then given to EVP_DigestUpdate. Note that this might create a giant malloc buffer, which might trigger OOM. pread might succeed with fewer bytes than given. It needs to be called in a loop. But it would be better if we could read it and feed it to EVP_DigestUpdate in (small) chunks. Is EACCESS the right error code to return when the signature couldn't be checked/is invalid? That is the same as when we get CURLE_REMOTE_ACCESS_DENIED. It might be good if it was an unique error code so users can know that the file was not trusted. -- You are receiving this mail because: You are on the CC list for the bug.
