[zypp-commit] <libzypp> SuSE-SLE-10-SP3-Branch : Also check if the fingerprint matches before importing updated keys. (bnc #393160)

4 Jul 2008

ref: refs/heads/SuSE-SLE-10-SP3-Branch
commit a4447c62bfcfaa1d75bcdcb194f5e3267a5c7ff1
Author: Michael Andres 
Date:   Fri Jul 4 15:24:58 2008 +0000

    Also check if the fingerprint matches before importing updated keys. (bnc #393160)
---
 VERSION                 |    2 +-
 package/libzypp.changes |    8 ++++++++
 zypp/KeyRing.cc         |    5 ++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index 7858323..54324c3 100644
--- a/VERSION
+++ b/VERSION
@@ -49,5 +49,5 @@ dnl ==================================================
 m4_define([LIBZYPP_MINOR],	 [32])
 m4_define([LIBZYPP_COMPATMINOR], [15])
 dnl ==================================================
-m4_define([LIBZYPP_PATCH],	 [1])
+m4_define([LIBZYPP_PATCH],	 [2])
 dnl ==================================================
diff --git a/package/libzypp.changes b/package/libzypp.changes
index c679fa9..c338225 100644
--- a/package/libzypp.changes
+++ b/package/libzypp.changes
@@ -1,4 +1,12 @@
 -------------------------------------------------------------------
+Fri Jul  4 17:19:24 CEST 2008 - ma@suse.de
+
+- Also check if the fingerprint matches before importing updated keys. 
+  (bnc #393160)
+- version 2.32.2
+- revision 10496
+
+-------------------------------------------------------------------
 Fri Jun 27 16:16:50 CEST 2008 - ma@suse.de
 
 - Invoke gpg with --homdir, otherwise command fails if executed
diff --git a/zypp/KeyRing.cc b/zypp/KeyRing.cc
index c42bb93..2a94d4e 100644
--- a/zypp/KeyRing.cc
+++ b/zypp/KeyRing.cc
@@ -311,7 +311,10 @@ namespace zypp
       if ( publicKeyExists( id, generalKeyRing() ) )
       {
         PublicKey untkey = exportKey( id, generalKeyRing() );
-        if ( untkey.created() > key.created() )
+        // bnc #393160: Comment #30: Compare at least the fingerprint
+        // in case an attacker created a key the the same id.
+        if ( untkey.fingerprint() == key.fingerprint()
+             && untkey.created() > key.created() )
         {
           MIL << "Key " << key << " was updated. Saving new version into trusted keyring." << endl;
           importKey( untkey, true );
-- 
To unsubscribe, e-mail: zypp-commit+unsubscribe@opensuse.org
For additional commands, e-mail: zypp-commit+help@opensuse.org

    