From b3bd2e82c5edb17859a05e9bc0c37c811fa8412d Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Jul 12 2024 14:50:10 +0000 Subject: Revert "Don't confuse OpenScanHub with false array overrun" Yikes. This was a rushed "fix" that caused a regression in --verify mode with the following error message: Header RSA signature: BAD (header tag 268: invalid OpenPGP signature) This was immediately caught by the CI (thank god we have it!). Since this patch was downstream-only (no internal OpenPGP parser in rpm upstream anymore), it didn't go through the usual peer review. I should have asked for it in GitLab still, no matter how innocent and tiny the change appears to be (lesson learned). Anyway, it's probably going to be safer to just mark this finding as a false positive (which it really is), as opposed to touching the code. Let's revisit later, for now, just revert. This reverts commit ae9528bbef8b05883ae08ad345e4f945c04ad0ff. Related: RHEL-22607 --- diff --git a/rpm-4.16.1.3-pgp-explicit-pointer-increment.patch b/rpm-4.16.1.3-pgp-explicit-pointer-increment.patch deleted file mode 100644 index 217597a..0000000 --- a/rpm-4.16.1.3-pgp-explicit-pointer-increment.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up rpm-4.16.1.3/rpmio/rpmpgp.c.orig rpm-4.16.1.3/rpmio/rpmpgp.c ---- rpm-4.16.1.3/rpmio/rpmpgp.c.orig 2024-07-11 13:20:04.872431485 +0200 -+++ rpm-4.16.1.3/rpmio/rpmpgp.c 2024-07-11 13:20:33.828279453 +0200 -@@ -619,7 +619,7 @@ static int pgpPrtSig(pgpTag tag, const u - p = &v->hashlen[0]; - if (pgpGet(v->hashlen, sizeof(v->hashlen), h + hlen, &plen)) - return 1; -- p += sizeof(v->hashlen); -+ p = h + sizeof(v); - - if ((p + plen) > (h + hlen)) - return 1; diff --git a/rpm.spec b/rpm.spec index 9b8455d..047b566 100644 --- a/rpm.spec +++ b/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 31 +%global rel 32 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -135,7 +135,6 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch Patch1002: 0001-Macroize-find-debuginfo-script-location.patch -Patch1003: rpm-4.16.1.3-pgp-explicit-pointer-increment.patch # Partially GPL/LGPL dual-licensed and some bits with BSD # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD @@ -664,6 +663,9 @@ fi %doc doc/librpm/html/* %changelog +* Fri Jul 12 2024 Michal Domonkos - 4.16.1.3-32 +- Revert incorrect fix for false array overrun (RHEL-22607) + * Fri Jul 12 2024 Michal Domonkos - 4.16.1.3-31 - Fix potential use of uninitialized pipe array (RHEL-22604) - Fix potential use of uninitialized pgp struct (RHEL-22605)