File CVE-2020-10759.patch of Package fwupd.15879
From 21f2d12fccef63b8aaa99ec53278ce18250b0444 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Thu, 28 May 2020 16:42:18 +0100
Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
signature
If a detached signature is actually a PGP message, gpgme_op_verify() returns
the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
builds an empty list.
Explicitly check for no signatures present to avoid returning a FuKeyringResult
with no timestamp and an empty authority.
Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
coordinated disclosure of this issue. Fixes CVE-2020-10759
---
src/fu-keyring-gpg.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
index f06449cf..15d6e2c3 100644
--- a/src/fu-keyring-gpg.c
+++ b/src/fu-keyring-gpg.c
@@ -297,6 +297,13 @@ fu_keyring_gpg_verify_data (FuKeyring *keyring,
"no result record from libgpgme");
return NULL;
}
+ if (result->signatures == NULL) {
+ g_set_error_literal (error,
+ FWUPD_ERROR,
+ FWUPD_ERROR_INTERNAL,
+ "no signatures from libgpgme");
+ return NULL;
+ }
/* look at each signature */
for (s = result->signatures; s != NULL ; s = s->next ) {
--
2.26.2