Source: ostree Version: 2025.1-1 Severity: important Hello,
ostree throws a testsuite error against gpg 2.4.7-5: FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key - OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key: 'key_expired' should be TRUE This did not happen against 2.4.7-4. 2.4.7-5 adds number of patches and the triggering commit is 62d8d2f024d5e5c3289d5bf7892013dc18eac4b0 void DoS on signature verification https://salsa.debian.org/debian/gnupg2/-/commit/62d8d2f024d5e5c3289d5bf7892013dc18eac4b0 which adds three patches from upstream STABLE-BRANCH-2-4: + 25d748c3dfc0102f9e54afea59ff26b3969bd8c1 gpg: Lookup key for merging/inserting only by primary key. + da0164efc7f32013bc24d97b9afa9f8d67c318bb gpg: Fix a verification DoS due to a malicious subkey in the keyring. + 9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f gpg: Remove a signature check function wrapper. Ostree's autopkgtest throws more errors, which I do not see on a local rebuild in sid chroot. cu Andreas -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.12.12-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
