[PATCH gnupg] g10/import.c: ignore too large signature packets
Werner Koch
wk at gnupg.org
Fri Apr 22 20:40:30 CEST 2022
On Fri, 15 Apr 2022 18:47, Robert Bartel said:
> A better behavior, instead of failing the public key import, would be to
> just ignore too large signature packets. This can be achieved with the
Right. However, this fixes just one case and has the side-effect that
it can be used to strip for example an revocation signatures. This
might be possible by uploading a signature with extra data the unhashed
area. Depends on the keyserver.
> I hope it does not introduce new problems in the code, like missing self
> signatures when they are too large (will the import fail or lead to an
Exactly. Broken keys are broken and should better not be used.
> Please consider applying the patch upstream or making equivalent changes
> to the code, to get GnuPG more DoS resistant in the future.
I am not sure whether this makes a lot of sense given that this is just
one way to trigger a limit in GnuPG. The limits have actually been
implemented to limit the effect of broken keys.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220422/fa2787c7/attachment.sig>
More information about the Gnupg-devel
mailing list