Avoid passing tainted keyrings to signature verification

author Jacob Bachmeyer <jcb@gnu.org>

Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)

committer Jacob Bachmeyer <jcb@gnu.org>

Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)
author Jacob Bachmeyer <jcb@gnu.org>
Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)
committer Jacob Bachmeyer <jcb@gnu.org>
Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)
diff --git a/gatekeeper.pl b/gatekeeper.pl

index 95e5996a4aed0ffd161791bb2db6ca5d1ebbf54c..cad4a523fcd70563d245fe641d10a5db88644e34 100755 (executable)
--- a/gatekeeper.pl
+++ b/gatekeeper.pl
@@ -1773,8 +1773,9 @@ sub read_directive_file {
    my @tmp_keyrings;
    open(TMP,"/usr/bin/find $package_config_base -name pubring.gpg|");
    while(<TMP>) {
-    chomp();
-    push(@tmp_keyrings,$_);
+    chomp;
+    m,^(/?${RE_filename_relative})$, or next;
+    push @tmp_keyrings, $1;
    }
    close(TMP);
author	Jacob Bachmeyer <jcb@gnu.org>
	Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)
committer	Jacob Bachmeyer <jcb@gnu.org>
	Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)