xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit 0e1592094e7463b07e9bc9725b4c85d5244bf997
Author: Samuel Mehrbrodt <samuel.mehrbr...@allotropia.de>
AuthorDate: Thu Jul 11 23:15:26 2024 +0200
Commit: Samuel Mehrbrodt <samuel.mehrbr...@allotropia.de>
CommitDate: Mon Jul 15 06:26:06 2024 +0200
tdf#108828 Prevent leaking keys from previous signing sessions
Usuccessful signing sessions (e.g. abort when password is requested)
left their key in the context.
On the next try, the former key would also be used to sign.
Change-Id: I55b9201df229cae40863a0a19b238029607d1848
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/170388
Reviewed-by: Samuel Mehrbrodt <samuel.mehrbr...@allotropia.de>
Tested-by: Jenkins
diff --git a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
index 2eff021eb38f..fd2c5d1ebfbd 100644
--- a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
+++ b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
@@ -197,6 +197,8 @@ SAL_CALL XMLSignature_GpgImpl::generate(
int nRet = xmlSecBase64Decode_ex(pKey,
reinterpret_cast<xmlSecByte*>(pKey), xmlStrlen(pKey), &nWritten);
if(nRet < 0)
throw RuntimeException(u"The GpgME library failed to initialize for
the OpenPGP protocol."_ustr);
+
+ rCtx.clearSigningKeys(); // tdf#108828 Clear keys from previous
unsuccessful sessions
if( rCtx.addSigningKey(
rCtx.key(
reinterpret_cast<char*>(pKey), err, true)) )
