gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures.
4329e4746368
Actions

Description

gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures.

* g10/sig-check.c (check_signature_over_key_or_uid): Always initialize
IS_SELFSIG because it is later used to detect SHA1 non-selfsignatures.

The value of is_selfsig was also used to decide whether to reject a a
SHA_signature if it is not a self-signature. However, a code path
exists where is_selfsig was set to stub_is_selfsig and not initilaized
in this case.

Fixes-commit: edc36f59fcfcb4b896a53530345d586f7e5df560
Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a

Details

Provenance

• werner

Authored on Wed, Oct 22, 11:19 AM

Parents

rGe6fa3f0e00e5: Post release updates

Branches

Unknown

Tags

Unknown

References

STABLE-BRANCH-2-2

Event Timeline

• werner committed rG4329e4746368: gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures. (authored by • werner).Wed, Oct 22, 2:09 PM

Changes (1)

Path

Size

g10/

sig-check.c

rG4329e4746368

View Options