Report forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link): Bug#440535; Package reprepro.
(full text, mbox, link).
Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
New Bug report received and forwarded. Copy sent to brlink@debian.org (Bernhard R. Link).
(full text, mbox, link).
Package: reprepro
Version: 1.3.0-1
Severity: serious
Tags: etch security patch
This bug is just to document that the bug closed in 2.2.4 is still open in etch:
Version 1.3.0 included the change from libgpgme6 to libgpgme11. But a
part of this patch got lost, and thus reprepro only checks for
signatures with requested keys to be valid when updating a repository
from a remote one with the "update" command and does not complain if
there is no signature with a requested key at all. (Thus accepting
anything signed with only a unknown key for example).
Version prior to 1.3.0 and since 2.2.4 are not affected. Only updating
is affected. Checking keys when including packages by hand or via an
incoming dir is not affected.
I've sent a mail with the attached files to team@security.debian.org
at August 20th, but got no reply since then. Thus attaching them here
again.
Hochachtungsvoll,
Bernhard R. Link
Bug marked as fixed in version 2.2.4-1.
Request was from "Bernhard R. Link" <brlink@debian.org>
to control@bugs.debian.org.
(Sun, 02 Sep 2007 16:09:01 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link): Bug#440535; Package reprepro.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link).
(full text, mbox, link).
Hi,
> I've sent a mail with the attached files to team@security.debian.org
> at August 20th, but got no reply since then. Thus attaching them here
> again.
Thank you for your work, I've reviewed it and I'm wondering about why you made
this change specifically:
- if( kl < fl && strncmp(fingerprint+fl-kl,keypart,kl) == 0 )
+ if( kl < fl && strncasecmp(fingerprint+fl-kl,keypart,kl) == 0 )
Can you clarify?
Thanks!
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link): Bug#440535; Package reprepro.
(full text, mbox, link).
Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link).
(full text, mbox, link).
To: Thijs Kinkhorst <thijs@debian.org>, 440535@bugs.debian.org
Subject: Re: Bug#440535: reprepro: Not properly checking signatures of repositories updating from
Date: Wed, 12 Sep 2007 18:20:19 +0200
* Thijs Kinkhorst <thijs@debian.org> [070912 14:05]:
> Hi,
>
> > I've sent a mail with the attached files to team@security.debian.org
> > at August 20th, but got no reply since then. Thus attaching them here
> > again.
>
> Thank you for your work, I've reviewed it and I'm wondering about why you made
> this change specifically:
>
> - if( kl < fl && strncmp(fingerprint+fl-kl,keypart,kl) == 0 )
> + if( kl < fl && strncasecmp(fingerprint+fl-kl,keypart,kl) == 0 )
>
> Can you clarify?
libgpgme always returns the fingerprints in upper case, and if cases
mismatches reprepro will just print that none of the requested keys were
found. (because no key with lower case fingerprint was found, as there
can't be some with libgpgme).
As humans often tend to use lower case, this could lead to some confusion when
upgrading (as it looks like it worked before and then suddenly claims
there is no known key while there is, just with the wrong key).
Hochachtungsvoll,
Bernhard R. Link
Tags added: pending
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Sun, 16 Sep 2007 16:24:03 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.3.1+1-1, send any further explanations to "Bernhard R. Link" <brlink@debian.org>
Request was from "Bernhard R. Link" <brlink@debian.org>
to control@bugs.debian.org.
(Wed, 24 Oct 2007 09:21:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Dec 2007 07:28:46 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.