1127220 – [libgpgme] gpgme_op_import issue when signal is received (e.g. CTRL-C in zypper)

Bug 1127220 - [libgpgme] gpgme_op_import issue when signal is received (e.g. CTRL-C in zypper)

Summary: [libgpgme] gpgme_op_import issue when signal is received (e.g. CTRL-C in zypper)

Status:	NEW

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Pedro Monreal Gonzalez
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-02-27 15:03 UTC by Michael Andres
Modified:	2019-08-18 14:44 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
GOOD case importing 8 keys. (388.38 KB, text/x-log) 2019-02-27 15:03 UTC, Michael Andres	Details
FAIL case returning no error though not all keys were processed. (126.74 KB, text/x-log) 2019-02-27 15:05 UTC, Michael Andres	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Andres 2019-02-27 15:03:03 UTC

Created attachment 798296 [details]
GOOD case importing 8 keys.

Applies to libgpgme 1.10.0 (SLE15*) as well as 1.11 (TW)

You may be able to trigger the error by running 'zypper ref' and hitting CTRL-C once and fast:
> $ zypper ref
> ^C
> 
> Note: The rpm database seems to contain old V3 version gpg keys which are meanwhile obsolete and
> considered insecure:
> 
>         gpg-pubkey-1abd1afb-54176598
>         ...
The reported V3 keys are wrong. In fact zypp checks which keys were not imported into the keyring, and assumes that these are V3. We can most probably work around this in zypp, but nevertheless it seems to be a bug in libgpgme (maybe missing EINTR handling).



Zypp writes the ASCII armored gpg keys found in the rpm DB into a file. The file is then read using 
> gpgme_data_new_from_file( &buffer, file, 1 );
> gpgme_op_import( ctx, buffer );

The signal is most probably received and handled while gpgme_op_import is running. The function then returns without error, but checking gpgme_op_import_result reveals that the stats are incomplete (8 keys have been offered in the file, but 0 considered keys are reported though 1 is in the imports list (DA400A68):
> [zypp::gpg] KeyManager.cc(importKey):411 ------------------------------------
> [zypper] main.cc(signal_handler):23 OOOOPS
> [zypp::gpg] KeyManager.cc(importKey):418 gpgme_op_import_result {
> [zypp::gpg] KeyManager.cc(importKey):418   0 The total number of considered keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 The number of keys without user ID.
> [zypp::gpg] KeyManager.cc(importKey):418   0 The total number of imported keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 imported RSA keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 unchanged keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new user IDs.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new sub keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new signatures.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new revocations.
> [zypp::gpg] KeyManager.cc(importKey):418   0 secret keys read.
> [zypp::gpg] KeyManager.cc(importKey):418   0 imported secret keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 unchanged secret keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 keys not imported.
> [zypp::gpg] KeyManager.cc(importKey):418   - 0DA7D5EB3C7C38E18E55F555C24F66DEDA400A68: 0
> [zypp::gpg] KeyManager.cc(importKey):418 }


This is how it looks like without signal:
> [zypp::gpg] KeyManager.cc(importKey):411 ------------------------------------
> [zypp::gpg] KeyManager.cc(importKey):418 gpgme_op_import_result {
> [zypp::gpg] KeyManager.cc(importKey):418   8 The total number of considered keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 The number of keys without user ID.
> [zypp::gpg] KeyManager.cc(importKey):418   8 The total number of imported keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 imported RSA keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 unchanged keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new user IDs.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new sub keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new signatures.
> [zypp::gpg] KeyManager.cc(importKey):418   0 new revocations.
> [zypp::gpg] KeyManager.cc(importKey):418   0 secret keys read.
> [zypp::gpg] KeyManager.cc(importKey):418   0 imported secret keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 unchanged secret keys.
> [zypp::gpg] KeyManager.cc(importKey):418   0 keys not imported.
> [zypp::gpg] KeyManager.cc(importKey):418   - 0DA7D5EB3C7C38E18E55F555C24F66DEDA400A68: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - F8875B880D518B6B8C530D1345A1D0671ABD1AFB: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - 22C07BA534178CD02EFE22AAB88B2FD43DBDC284: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - EAAAB2461DA8429EF152BE23AF92960D7C99E700: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - 1D4A7EC7023D0D3EDEACE106F8648C9409CA02B0: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - FCADAFC81273B9E7F184F2B0826659A9013E5B65: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - FEAB502539D846DB2C0961CA70AF9E8139DB7C82: 0
> [zypp::gpg] KeyManager.cc(importKey):418   - 428E4E348405CE7900DB99C230A8343A498D5A23: 0
> [zypp::gpg] KeyManager.cc(importKey):418 }


I'll also attach GOODgpgme.log and FAILgpgme.log created by GPGME_DEBUG=9 for the above two cases.

Comment 1 Michael Andres 2019-02-27 15:05:26 UTC

Created attachment 798297 [details]
FAIL case returning no error though not all keys were processed.

Comment 9 Swamp Workflow Management 2019-07-31 22:15:16 UTC

SUSE-SU-2019:2030-1: An update that solves three vulnerabilities and has 41 fixes is now available.

Category: security (moderate)
Bug References: 1047962,1049826,1053177,1065022,1099019,1102261,1110542,1111319,1112911,1113296,1114908,1115341,1116840,1118758,1119373,1119820,1119873,1120263,1120463,1120629,1120630,1120631,1121611,1122062,1122471,1123137,1123681,1123843,1123865,1123967,1124897,1125415,1127026,1127155,1127220,1130161,1131823,1135749,1137977,663358,764147,965786,978193,993025
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    PackageKit-1.1.10-4.10.4
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libsolv-0.7.5-3.12.2, libyui-ncurses-pkg-2.48.5.2-3.5.2, libyui-qt-pkg-2.45.15.2-3.5.3, libzypp-17.12.0-3.23.6, zypper-1.14.28-3.18.6
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    PackageKit-1.1.10-4.10.4, libsolv-0.7.5-3.12.2, libzypp-17.12.0-3.23.6, yast2-pkg-bindings-devel-doc-4.0.13-3.7.2, zypper-1.14.28-3.18.6
SUSE Linux Enterprise Module for Development Tools 15 (src):    libsolv-0.7.5-3.12.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    PackageKit-1.1.10-4.10.4, libyui-qt-pkg-2.45.15.2-3.5.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    libsolv-0.7.5-3.12.2, libyui-ncurses-pkg-2.48.5.2-3.5.2, libyui-ncurses-pkg-doc-2.48.5.2-3.5.3, libyui-qt-pkg-2.45.15.2-3.5.3, libyui-qt-pkg-doc-2.45.15.2-3.5.3, libzypp-17.12.0-3.23.6, yast2-pkg-bindings-4.0.13-3.7.2, zypper-1.14.28-3.18.6
SUSE Linux Enterprise Installer 15 (src):    libsolv-0.7.5-3.12.2, libyui-ncurses-pkg-2.48.5.2-3.5.2, libyui-qt-pkg-2.45.15.2-3.5.3, libzypp-17.12.0-3.23.6, yast2-pkg-bindings-4.0.13-3.7.2, zypper-1.14.28-3.18.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2019-08-18 13:16:49 UTC

openSUSE-SU-2019:1927-1: An update that solves three vulnerabilities and has 41 fixes is now available.

Category: security (moderate)
Bug References: 1047962,1049826,1053177,1065022,1099019,1102261,1110542,1111319,1112911,1113296,1114908,1115341,1116840,1118758,1119373,1119820,1119873,1120263,1120463,1120629,1120630,1120631,1121611,1122062,1122471,1123137,1123681,1123843,1123865,1123967,1124897,1125415,1127026,1127155,1127220,1130161,1131823,1135749,1137977,663358,764147,965786,978193,993025
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
openSUSE Leap 15.0 (src):    PackageKit-1.1.10-lp150.11.1, libsolv-0.7.5-lp150.7.1, libyui-ncurses-pkg-2.48.5.2-lp150.7.1, libyui-qt-pkg-2.45.15.2-lp150.7.1, libzypp-17.12.0-lp150.2.13.1, yast2-pkg-bindings-4.0.13-lp150.2.13.1, zypper-1.14.28-lp150.2.13.1