2 files changed, 41 insertions, 13 deletions

diff --git a/g10/keydb.c b/g10/keydb.c
index 401478a1d..cf422a879 100644
--- a/g10/keydb.c
+++ b/g10/keydb.c
@@ -771,21 +771,30 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no,
           err = gpg_error (GPG_ERR_INV_KEYRING);
           break;
         }
-      if (pkt->pkttype == PKT_COMPRESSED)
-        {
-          log_error ("skipped compressed packet in keybox blob\n");
-          free_packet(pkt);
-          init_packet(pkt);
-          continue;
-        }
-      if (pkt->pkttype == PKT_RING_TRUST)
+
+      /* Filter allowed packets.  */
+      switch (pkt->pkttype)
         {
-          log_info ("skipped ring trust packet in keybox blob\n");
+        case PKT_PUBLIC_KEY:
+        case PKT_PUBLIC_SUBKEY:
+        case PKT_SECRET_KEY:
+        case PKT_SECRET_SUBKEY:
+        case PKT_USER_ID:
+        case PKT_ATTRIBUTE:
+        case PKT_SIGNATURE:
+          break; /* Allowed per RFC.  */
+
+        default:
+          /* Note that can't allow ring trust packets here and some of
+             the other GPG specific packets don't make sense either.  */
+          log_error ("skipped packet of type %d in keybox\n",
+                     (int)pkt->pkttype);
           free_packet(pkt);
           init_packet(pkt);
           continue;
         }
 
+      /* Other sanity checks.  */
       if (!in_cert && pkt->pkttype != PKT_PUBLIC_KEY)
         {
           log_error ("parse_keyblock_image: first packet in a keybox blob "
diff --git a/g10/keyring.c b/g10/keyring.c
index 6060f0894..ee76e8a33 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -406,12 +406,31 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb)
             rc = GPG_ERR_INV_KEYRING;
             break;
         }
-	if (pkt->pkttype == PKT_COMPRESSED) {
-	    log_error ("skipped compressed packet in keyring\n");
+
+        /* Filter allowed packets.  */
+        switch (pkt->pkttype)
+          {
+          case PKT_PUBLIC_KEY:
+          case PKT_PUBLIC_SUBKEY:
+          case PKT_SECRET_KEY:
+          case PKT_SECRET_SUBKEY:
+          case PKT_USER_ID:
+          case PKT_ATTRIBUTE:
+          case PKT_SIGNATURE:
+            break; /* Allowed per RFC.  */
+          case PKT_RING_TRUST:
+          case PKT_OLD_COMMENT:
+          case PKT_COMMENT:
+          case PKT_GPG_CONTROL:
+            break; /* Allowed by us.  */
+
+          default:
+	    log_error ("skipped packet of type %d in keyring\n",
+                       (int)pkt->pkttype);
 	    free_packet(pkt);
 	    init_packet(pkt);
 	    continue;
-        }
+          }
 
         if (in_cert && (pkt->pkttype == PKT_PUBLIC_KEY
                         || pkt->pkttype == PKT_SECRET_KEY)) {
@@ -478,7 +497,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb)
     if (rc || !ret_kb)
 	release_kbnode (keyblock);
     else {
-        /*(duplicated form the loop body)*/
+        /*(duplicated from the loop body)*/
         if ( pkt && pkt->pkttype == PKT_RING_TRUST
              && lastnode
              && lastnode->pkt->pkttype == PKT_SIGNATURE