gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures.
db9705ef594d
Actions

Description

gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures.

* g10/sig-check.c (check_signature_over_key_or_uid): Always initialize
IS_SELFSIG because it is later used to detect SHA1 non-selfsignatures.

The value of is_selfsig was also used to decide whether to reject a a
SHA_signature if it is not a self-signature. However, a code path
exists where is_selfsig was set to stub_is_selfsig and not initilaized
in this case.

Fixes-commit: c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4
Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a

Details

Provenance

• werner

Authored on Wed, Oct 22, 11:19 AM

Parents

rG2d9e1295a1f4: gpg,gpgsm: Serialize write access to keybox/keyring to protect.

Branches

Unknown

Tags

Unknown

Event Timeline

• werner committed rGdb9705ef594d: gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures. (authored by • werner).Wed, Oct 22, 11:20 AM

• werner mentioned this in T7869: Release GnuPG 2.5.14.Wed, Oct 22, 2:18 PM

• werner mentioned this in T7801: Release GnuPG 2.5.13.Wed, Oct 22, 2:21 PM

Changes (1)

Path

Size

g10/

sig-check.c

rGdb9705ef594d

View Options