Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malformed signed_data from Commit#extract_signature #608

Open
kevinoconnor7 opened this issue May 29, 2016 · 5 comments
Open

Malformed signed_data from Commit#extract_signature #608

kevinoconnor7 opened this issue May 29, 2016 · 5 comments
Assignees
@carlosmn

Comments

@kevinoconnor7
Copy link

I've been seeing weird behavior with Commit.extract_signature where I'm getting some garbage data at the end of the signed data string.

For example:

repo = Rugged::Repository.new('/tmp/test')
commit = '7cd86ea426f277276367bd955f312fcbadd7bc5d'

# Note: I can only reproduce the error if rev_parse is called first
repo.rev_parse(commit)
p Rugged::Commit.extract_signature(repo, commit)

As a result the signed_data portion of the returned array sometimes has a \n as the last character. However, I get seemingly random data in that last byte.

I was not able to reproduce this in the tests, however, I can reliably reproduce it if I create new repo locally, add a few signed commits, and then try to extract the signatures via rugged.
@ethomson
Copy link
Member

ethomson commented Jun 1, 2016

Hi! Thanks for reporting this - can you share the repo that you created that illustrates this problem?

@kevinoconnor7
Copy link
Author

kevinoconnor7 commented Jun 1, 2016
edited
Loading

I reproduced it just creating a repo, touching a file, and committing it with a gpg signed commit. I did this process a few times and it reproduced consistently. If you cannot get it to reproduce doing that then I'll push a repo later today that reproduces the issue

@kevinoconnor7
Copy link
Author

I took another look today and I cannot get it to reproduce when creating a new repo, but this repo does demonstrate the issue: kevinoconnor7/malform-signature-test

This code:

require 'rugged'
repo = Rugged::Repository.new('/tmp/test')
commit = '7cd86ea426f277276367bd955f312fcbadd7bc5d'

repo.rev_parse(commit)
p Rugged::Commit.extract_signature(repo, commit)
p Rugged::Commit.extract_signature(repo, commit)
p Rugged::Commit.extract_signature(repo, commit)
p Rugged::Commit.extract_signature(repo, commit)
p Rugged::Commit.extract_signature(repo, commit)

produced:

["-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQEcBAABAgAGBQJXSik8AAoJEMUNS2x+QKQJ7JUIAMvo3ssUJt7DVEs6pUUqsl9H\n38JrrJCdJpiyl7fy/DymGyWOCxIz2ePwSny40bIUPM73iuWjGDFfai2HTRNUejDR\nPvI2fIUUzPfkXSzdCP2hvWhk9H90Mns9f8qlEnSGBr1qW18khCGJZLl3h19YHo0/\n2adzEDutGv6O/m+HNKgoR436MKsn6Wnu7IcdeOpbL/wFfuFAQ7coFuP8l879TIKq\nziS7296lB4KvMFFezKhBzVIguBjTQYNddEdmMFcPctSTUtleBvfne0y/FGprMU1D\nx3HW/m1j3pTyM3Il1WNhRXce+TxbYlyzOnMAD3t9dAGjP1onzf7YbWyur3s0DKw=\n=igJt\n-----END PGP SIGNATURE-----", "tree d2d6c400e0c2535f3c8a2dae8621707397807a84\nparent accffad46605d3fc79e9ecd1d2c42c1c61a0a596\nauthor Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\ncommitter Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\n\nAnother commit\n"]
["-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQEcBAABAgAGBQJXSik8AAoJEMUNS2x+QKQJ7JUIAMvo3ssUJt7DVEs6pUUqsl9H\n38JrrJCdJpiyl7fy/DymGyWOCxIz2ePwSny40bIUPM73iuWjGDFfai2HTRNUejDR\nPvI2fIUUzPfkXSzdCP2hvWhk9H90Mns9f8qlEnSGBr1qW18khCGJZLl3h19YHo0/\n2adzEDutGv6O/m+HNKgoR436MKsn6Wnu7IcdeOpbL/wFfuFAQ7coFuP8l879TIKq\nziS7296lB4KvMFFezKhBzVIguBjTQYNddEdmMFcPctSTUtleBvfne0y/FGprMU1D\nx3HW/m1j3pTyM3Il1WNhRXce+TxbYlyzOnMAD3t9dAGjP1onzf7YbWyur3s0DKw=\n=igJt\n-----END PGP SIGNATURE-----", "tree d2d6c400e0c2535f3c8a2dae8621707397807a84\nparent accffad46605d3fc79e9ecd1d2c42c1c61a0a596\nauthor Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\ncommitter Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\n\nAnother commit."]
["-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQEcBAABAgAGBQJXSik8AAoJEMUNS2x+QKQJ7JUIAMvo3ssUJt7DVEs6pUUqsl9H\n38JrrJCdJpiyl7fy/DymGyWOCxIz2ePwSny40bIUPM73iuWjGDFfai2HTRNUejDR\nPvI2fIUUzPfkXSzdCP2hvWhk9H90Mns9f8qlEnSGBr1qW18khCGJZLl3h19YHo0/\n2adzEDutGv6O/m+HNKgoR436MKsn6Wnu7IcdeOpbL/wFfuFAQ7coFuP8l879TIKq\nziS7296lB4KvMFFezKhBzVIguBjTQYNddEdmMFcPctSTUtleBvfne0y/FGprMU1D\nx3HW/m1j3pTyM3Il1WNhRXce+TxbYlyzOnMAD3t9dAGjP1onzf7YbWyur3s0DKw=\n=igJt\n-----END PGP SIGNATURE-----", "tree d2d6c400e0c2535f3c8a2dae8621707397807a84\nparent accffad46605d3fc79e9ecd1d2c42c1c61a0a596\nauthor Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\ncommitter Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\n\nAnother commit\n"]
["-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQEcBAABAgAGBQJXSik8AAoJEMUNS2x+QKQJ7JUIAMvo3ssUJt7DVEs6pUUqsl9H\n38JrrJCdJpiyl7fy/DymGyWOCxIz2ePwSny40bIUPM73iuWjGDFfai2HTRNUejDR\nPvI2fIUUzPfkXSzdCP2hvWhk9H90Mns9f8qlEnSGBr1qW18khCGJZLl3h19YHo0/\n2adzEDutGv6O/m+HNKgoR436MKsn6Wnu7IcdeOpbL/wFfuFAQ7coFuP8l879TIKq\nziS7296lB4KvMFFezKhBzVIguBjTQYNddEdmMFcPctSTUtleBvfne0y/FGprMU1D\nx3HW/m1j3pTyM3Il1WNhRXce+TxbYlyzOnMAD3t9dAGjP1onzf7YbWyur3s0DKw=\n=igJt\n-----END PGP SIGNATURE-----", "tree d2d6c400e0c2535f3c8a2dae8621707397807a84\nparent accffad46605d3fc79e9ecd1d2c42c1c61a0a596\nauthor Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\ncommitter Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\n\nAnother commit."]
["-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQEcBAABAgAGBQJXSik8AAoJEMUNS2x+QKQJ7JUIAMvo3ssUJt7DVEs6pUUqsl9H\n38JrrJCdJpiyl7fy/DymGyWOCxIz2ePwSny40bIUPM73iuWjGDFfai2HTRNUejDR\nPvI2fIUUzPfkXSzdCP2hvWhk9H90Mns9f8qlEnSGBr1qW18khCGJZLl3h19YHo0/\n2adzEDutGv6O/m+HNKgoR436MKsn6Wnu7IcdeOpbL/wFfuFAQ7coFuP8l879TIKq\nziS7296lB4KvMFFezKhBzVIguBjTQYNddEdmMFcPctSTUtleBvfne0y/FGprMU1D\nx3HW/m1j3pTyM3Il1WNhRXce+TxbYlyzOnMAD3t9dAGjP1onzf7YbWyur3s0DKw=\n=igJt\n-----END PGP SIGNATURE-----", "tree d2d6c400e0c2535f3c8a2dae8621707397807a84\nparent accffad46605d3fc79e9ecd1d2c42c1c61a0a596\nauthor Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\ncommitter Kevin O'Connor <kevin.oconnor7@gmail.com> 1464478006 -0400\n\nAnother commit."]

@carlosmn
Copy link
Member

This looks like we might not be properly filling in the buffer, since there is no period in that commit.

@carlosmn carlosmn self-assigned this Jun 21, 2016
@koffeinfrei
Copy link

This seems to be fixed starting with 0.26.0b4.

Jamedjo pushed a commit to gitlabhq/gitlabhq that referenced this issue Jul 28, 2017
@koffeinfrei
update rugged
a01eabc 
the rugged versions up to 0.26.0b3 had a bug concerning the signature
extraction. The extracted signature was not always the same, probably
due to a buffer (overflow) issue in libgit.

see libgit2/rugged#608
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carlosmn carlosmn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kevinoconnor7 @koffeinfrei @carlosmn @ethomson