Harden signature verification process

This mostly boils down to making sure control_started and
data_started are consistently used to gate actions, instead of
relying whether on file names start with a '.'.

None of the weaknesses this fixes are exploitable, but they
might have become so after changes to seemingly-unrelated code,
so it's good to clean them up.
cute-signatures
Reid Rankin 2020-01-23 17:07:21 +00:00 committed by Timo Teräs
parent 093c4b8077
commit d25e5e3879
2 changed files with 32 additions and 29 deletions

View File

@ -2388,7 +2388,19 @@ static int apk_db_install_archive_entry(void *_ctx,
if (r <= 0)
return r;
r = 0;
/* Package metainfo and script processing */
if (ctx->sctx.control_started && !ctx->sctx.data_started) {
if (strcmp(ae->name, ".PKGINFO") == 0) {
apk_blob_t l, token = APK_BLOB_STR("\n");
while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
read_info_line(ctx, l);
return 0;
}
if (ae->name[0] == '.')
type = apk_script_type(&ae->name[1]);
if (type == APK_SCRIPT_INVALID)
return 0;
}
/* Sanity check the file name */
if (ae->name[0] == '/' ||
@ -2402,20 +2414,6 @@ static int apk_db_install_archive_entry(void *_ctx,
return 0;
}
/* Package metainfo and script processing */
if (ae->name[0] == '.') {
/* APK 2.0 format */
if (strcmp(ae->name, ".PKGINFO") == 0) {
apk_blob_t l, token = APK_BLOB_STR("\n");
while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
read_info_line(ctx, l);
return 0;
}
type = apk_script_type(&ae->name[1]);
if (type == APK_SCRIPT_INVALID)
return 0;
}
/* Handle script */
if (type != APK_SCRIPT_INVALID) {
apk_ipkg_add_script(ipkg, is, type, ae->size);

View File

@ -613,14 +613,16 @@ int apk_sign_ctx_parse_pkginfo_line(void *ctx, apk_blob_t line)
struct apk_sign_ctx *sctx = (struct apk_sign_ctx *) ctx;
apk_blob_t l, r;
if (!sctx->control_started || sctx->data_started)
return 0;
if (line.ptr == NULL || line.len < 1 || line.ptr[0] == '#')
return 0;
if (!apk_blob_split(line, APK_BLOB_STR(" = "), &l, &r))
return 0;
if (sctx->data_started == 0 &&
apk_blob_compare(APK_BLOB_STR("datahash"), l) == 0) {
if (apk_blob_compare(APK_BLOB_STR("datahash"), l) == 0) {
sctx->has_data_checksum = 1;
sctx->md = EVP_sha256();
apk_blob_pull_hexdump(
@ -641,6 +643,9 @@ int apk_sign_ctx_verify_tar(void *sctx, const struct apk_file_info *fi,
if (r <= 0)
return r;
if (!ctx->control_started || ctx->data_started)
return 0;
if (strcmp(fi->name, ".PKGINFO") == 0) {
apk_blob_t l, token = APK_BLOB_STR("\n");
while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
@ -891,21 +896,21 @@ static int read_info_entry(void *ctx, const struct apk_file_info *ae,
struct apk_package *pkg = ri->pkg;
int r;
/* Meta info and scripts */
r = apk_sign_ctx_process_file(ri->sctx, ae, is);
if (r <= 0) return r;
if (r <= 0)
return r;
if (ae->name[0] == '.') {
/* APK 2.0 format */
if (strcmp(ae->name, ".PKGINFO") == 0) {
apk_blob_t l, token = APK_BLOB_STR("\n");
while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
read_info_line(ctx, l);
} else if (strcmp(ae->name, ".INSTALL") == 0) {
apk_warning("Package '%s-%s' contains deprecated .INSTALL",
pkg->name->name, pkg->version);
}
if (!ri->sctx->control_started || ri->sctx->data_started)
return 0;
if (strcmp(ae->name, ".PKGINFO") == 0) {
/* APK 2.0 format */
apk_blob_t l, token = APK_BLOB_STR("\n");
while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
read_info_line(ctx, l);
} else if (strcmp(ae->name, ".INSTALL") == 0) {
apk_warning("Package '%s-%s' contains deprecated .INSTALL",
pkg->name->name, pkg->version);
}
return 0;