On Tue, Oct 26, 2021 at 11:50:53AM +0200, Justus Winter wrote: > I think what you are saying is that RPM expects certificates to be > canonicalized before they are fed to RPM. But, that is exactly what led > to CVE-2021-3521. > > https://access.redhat.com/security/cve/cve-2021-3521
No, that's about rpm not checking any signature in the certificates at all. Which is actually not that bad if you insist that the used must only import trusted certificates. It depends on how you define the attack vector: can you convince the admin to do a 'rpm --import' on unsafe material? E.g. something downloaded from a public key server? It's certainly sane to verify that at least the self-sigs are valid and protect the data that needs protection. > No, that is not the old RFC that Werner has been working on. The > document that Werner worked on is > > https://datatracker.ietf.org/doc/draft-ietf-openpgp-rfc4880bis/ > > It is true that a lot of changes that were in RFC4880bis were cleaned > up, improved, and merged into the openpgp-crypto-refresh. But, in > contrast to RFC4880bis, the openpgp-crypto-refresh has been written by > the working group's design team and represents a broad consensus among > active OpenPGP implementations. Well, if you diff the two documents it certainly looks like most changes are taken from the RFC4880bis (with some exotic things removed). -- Michael Schroeder SUSE Software Solutions Germany GmbH m...@suse.de GF: Felix Imendoerffer HRB 36809, AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint