Re: [Rpm-maint] [rpm-software-management/rpm] Be much more careful about copying data from the signature header (#1577)
Merged #1577 into master. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1577#event-4463707057___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Be much more careful about copying data from the signature header (#1577)
Mind you, the suggested optimization to avoid multiple sorts totally makes sense and never occurred to me at all (too much staring at how it always did it), so thanks for that! Just that with critical fixes needing backports and all, other enhancements such as performance are best kept apart - I planned to do a PR for that separately sooner or later. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1577#issuecomment-800144943___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Be much more careful about copying data from the signature header (#1577)
> I included a couple of minor performance suggestions, but those should not > delay merging. But that's exactly what such things tend to do, as I'm now wondering could there be some quirks code, especially very old versions, that cause it to actually rely on the put-sort cycle. It's extremely unlikely, but there have been stranger things (see commit da3a3a14e757ccd517e2eb2a3f0293ff48b3ff7f) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1577#issuecomment-800103719___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Be much more careful about copying data from the signature header (#1577)
(reporter credits added to commit message) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1577#issuecomment-799312095___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Be much more careful about copying data from the signature header (#1577)
Only look for known tags, and ensure correct type and size where known before copying over. Bump the old arbitrary 16k count limit to 16M limit though, its not inconceivable that a package could have that many files. While at it, ensure none of these tags exist in the main header, which would confuse us greatly. This is optimized for backporting ease, upstream can remove redundancies and further improve checking later. Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ... Fixes: CVE-2021-3421, CVE-2021-20271 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1577 -- Commit Summary -- * Be much more careful about copying data from the signature header -- File Changes -- M lib/package.c (114) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1577.patch https://github.com/rpm-software-management/rpm/pull/1577.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1577 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint