Bug#390282: please interpret _all_ gpg non-zero exit status as a security problem

Sun, 01 Oct 2006 19:55:07 -0700 

On Sat, Sep 30, 2006 at 10:24:47AM +0200, Robert Millan wrote:
>I'm not sure what the subset of non-zero exit status that result after this
>bitshifting means (FWIW, the gpg manpage only makes distinction between zero
>and non-zero status), but it's clearly something we don't want.  If gpg returns
>non-zero, it is a potential security issue and I think it should be treated as
>an unpack error.

The bit shifting is due to the way that wait(2) packs the termination
status of a process (which perl stashes in $?):  two bytes with the most
significant representing the exit status of the process or the least
giving the terminating signal.

Are you sure that gpg should croak on all errors?  An exit value of 2 is
returned for example if the key is unavailable to check the signature.

If you want that behaviour then I'd like to see it applied optionally,
something like the patch following.

--bod

--- dpkg-source.orig    2006-06-22 01:08:36.000000000 +1000
+++ dpkg-source 2006-10-02 11:59:05.000000000 +1000
@@ -106,6 +106,7 @@
   -sp (default)            leave orig source packed in current dir.
   -sn                      do not copy original source to current dir.
   -su                      unpack original source tree too.
+  -S                       strict signature checking.
 
 General options:
   -h, --help               show this help message.
@@ -164,6 +165,8 @@
         $warnable_error= 0;
     } elsif (m/^-q$/) {
         $quiet_warnings = 1;
+    } elsif (m/^-S$/) {
+       $strict_sigs= 1;
     } elsif (m/^--$/) {
         last;
     } else {
@@ -624,15 +627,20 @@
            $gpg_command = $gpg_command.quotemeta($dsc).' 2>&1';
 
            my @gpg_output = `$gpg_command`;
-           my $gpg_status = $? >> 8;
-           if ($gpg_status) {
-               print STDERR join("",@gpg_output);
+           print STDERR join("",@gpg_output) if $?;
+           if (WIFSIGNALED($?)) {
+               &error(sprintf(_g("gpg killed checking signature on %s: %d"), 
$dsc, WTERMSIG($?)));
+           } elsif ($?) {
                &error(sprintf(_g("failed to verify signature on %s"), $dsc))
-                   if ($gpg_status == 1);
+                   if WEXITSTATUS($?) == 1 or $strict_sigs;
            }
+       } elsif ($strict_sigs) {
+           &error(sprintf(_g("could not verify signature on %s since gpg isn't 
installed"), $dsc));
        } else {
            &warn(sprintf(_g("could not verify signature on %s since gpg isn't 
installed"), $dsc));
        }
+    } elsif ($strict_sigs) {
+       &error(sprintf(_g("not extracting unsigned source package (%s)"), 
$dsc));
     } else {
        &warn(sprintf(_g("extracting unsigned source package (%s)"), $dsc));
     }



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to