File CVE-2020-10759.patch of Package fwupd.15879

From 21f2d12fccef63b8aaa99ec53278ce18250b0444 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Thu, 28 May 2020 16:42:18 +0100
Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
 signature

If a detached signature is actually a PGP message, gpgme_op_verify() returns
the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
builds an empty list.

Explicitly check for no signatures present to avoid returning a FuKeyringResult
with no timestamp and an empty authority.

Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
coordinated disclosure of this issue. Fixes CVE-2020-10759
---
 src/fu-keyring-gpg.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
index f06449cf..15d6e2c3 100644
--- a/src/fu-keyring-gpg.c
+++ b/src/fu-keyring-gpg.c
@@ -297,6 +297,13 @@ fu_keyring_gpg_verify_data (FuKeyring *keyring,
 				     "no result record from libgpgme");
 		return NULL;
 	}
+	if (result->signatures == NULL) {
+		g_set_error_literal (error,
+				     FWUPD_ERROR,
+				     FWUPD_ERROR_INTERNAL,
+				     "no signatures from libgpgme");
+		return NULL;
+	}
 
 	/* look at each signature */
 	for (s = result->signatures; s != NULL ; s = s->next ) {
-- 
2.26.2

openSUSE Build Service is sponsored by