Re: Potential vulnerability: 'mixed up' output when commit has multiple signatures

Re: Potential vulnerability: 'mixed up' output when commit has multiple signatures

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 692 bytes --]

On Tue, 2018-08-14 at 22:35 -0700, Jonathan Nieder wrote:
> Hi,
> 
> Michał Górny wrote:
> 
> > I've been testing the git signature verification a bit and I've
> > discovered a troubling behavior when the commit object contains
> > multiple signatures.
> 
> Thanks for discovering this.  Do you mind if I take this conversation
> to the public mailing list?  (I'd bounce the existing thread there if
> that's okay with you.)
> 

I've already asked somewhere else in the thread if you consider this
suitable for disclosure, and haven't received a reply yet.  In any case,
I don't mind it.  I can resend my patch there if necessary too.

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: Potential vulnerability: 'mixed up' output when commit has multiple signatures

[Jonathan Nieder]

Michał Górny wrote:
> On Tue, 2018-08-14 at 22:35 -0700, Jonathan Nieder wrote:
> > Michał Górny wrote:

>>> I've been testing the git signature verification a bit and I've
>>> discovered a troubling behavior when the commit object contains
>>> multiple signatures.
>>
>> Thanks for discovering this.  Do you mind if I take this conversation
>> to the public mailing list?  (I'd bounce the existing thread there if
>> that's okay with you.)
>
> I've already asked somewhere else in the thread if you consider this
> suitable for disclosure, and haven't received a reply yet.  In any case,
> I don't mind it.

Thanks, doing so.

Thanks again for the analysis and fix as well.