From 6cc04a750a8f35d80cf17058ffa61f5cbf0ea43b Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 29 Nov 2024 11:31:48 +0200
Subject: [PATCH] Fix possible package corruption on --delsign/resign/addsign

Make sure we don't overrun the original signature header when
adjusting reserved size. Fixes a brainfart introduced in commit
be950eabb84a88e5773e096435c37b92e3d47ebb: the count reservation
size is relative to the size of the new header, obviously.

Another crucial difference is that when considering whether we can
transplant the new signature header in the originals place we need
to consider the real on-disk signature, not the size of its
immutable region. The immutable region can be much much smaller than
the physical header if eg the IMA signatures are misplaced outside it,
making our calculations way off.

Fixes: #3469
---
 sign/rpmgensig.cc  | 7 ++++---
 tests/rpmsigdig.at | 1 -
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc
index baaa4fedc4..d10f22555d 100644
--- a/sign/rpmgensig.cc
+++ b/sign/rpmgensig.cc
@@ -698,8 +698,8 @@ static int rpmSign(const char *rpm, int deleting, int flags)
 	    flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3);
     }
 
-    unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
     origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
+    unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
 
     if (flags & RPMSIGN_FLAG_IMA) {
 	if (includeFileSignatures(&sigh, &h))
@@ -745,12 +745,13 @@ static int rpmSign(const char *rpm, int deleting, int flags)
 
     /* Adjust reserved size for added/removed signatures */
     if (headerGet(sigh, reserveTag, &utd, HEADERGET_MINMEM)) {
-	int diff = headerSizeof(sigh, HEADER_MAGIC_YES) - origSigSize;
+	unsigned newSize = headerSizeof(sigh, HEADER_MAGIC_YES);
+	int diff = newSize - origSigSize;
 
 	/* diff can be zero if nothing was added or removed */
 	if (diff) {
 	    utd.count -= diff;
-	    if (utd.count > 0 && utd.count < origSigSize) {
+	    if (utd.count > 0 && newSize + utd.count <= origSigSize) {
 		uint8_t *zeros = (uint8_t *)xcalloc(utd.count, sizeof(*zeros));
 		utd.data = zeros;
 		headerMod(sigh, &utd);
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 3c60868fef..603f4a8aa6 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -1847,7 +1847,6 @@ RPMTEST_CLEANUP
 
 AT_SETUP([--delsign with misplaced ima signature])
 AT_KEYWORDS([rpmsign file signature])
-AT_XFAIL_IF([test $RPM_XFAIL -ne 0])
 RPMTEST_CHECK([
 cp /data/RPMS/hello-2.0-1.x86_64-badima.rpm .
 rpmsign --delsign hello-2.0-1.x86_64-badima.rpm