Red Hat Bugzilla – Bug 1277464
RPM should not crash on old GPG keys
Last modified: 2015-11-08 17:20:04 EST
Description of problem:
After upgrading to the F23 version of rpm, most commands started to crash with a segmentation fault.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Prepare an RPM database with some old keys. In my case, I had the keys gpg-pubkey-cba29bf9-31295e35.src and gpg-pubkey-acba50c7-3509d939.src still around in my database. They were installed during 2002, so they were indeed old.
2. Upgrade to current RPM
3. rpm -qa
A segmentation fault
A list of all packages.
After a little debugging, I found that this happens in loadKeyringFromDB. If a key is old, rpmPubkeyNew will return null. This value is sent to rpmGetSubkeys, which tries to dereference it. Which of course results in the crash.
Note that I'm not arguing that RPM should continue to SUPPORT these old keys. What I'm saying is it should handle their presence more gracefully than a crash. Just a simple check of the return value from rpmPubkeyNew, would be enough. If it is null, then skip this iteration iteration. Add a little warning that the key ought to be removed, and things would be much nicer! :-)
Your keys were probably ignored also in rpm-4.12 but rpmGetSubkeys() was added in rpm-4.13 and it causes this crash.
Yes, I can just add condition if rpmPubkeyNew() returns NULL then ingore it and show a warning. But I want to know what is wrong with your old keys. Can you put here output of "rpm --nosignature -qi gpg-pubkey-cba29bf9-31295e35" and "rpm --nosignature -qi gpg-pubkey-acba50c7-3509d939" ?
Created attachment 1089191 [details]
Created attachment 1089192 [details]
At your service! :-)
Thinking about it, I don't really know if there is anything wrong with the key acba50c7. When I realized the reason, I did an "rpm --last ..." and started to remove keys from the end. After the second key, rpm started working. So I can't be sure if I had left the first and only removed the second.
(I could find out, but I guess you're in a better position to investigate this from here.)
rpm-4.13.0-0.rc1.5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-52b53659c1
rpm-4.13.0-0.rc1.5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update rpm'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-52b53659c1
rpm-4.13.0-0.rc1.5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.