oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files

From: Matthias Weckbecker <mweckbecker () suse de>
Date: Fri, 21 Sep 2012 12:41:26 +0200
On Friday 21 September 2012 12:35:49 Dan Rosenberg wrote:
[...]


[1] https://bugzilla.novell.com/show_bug.cgi?id=780943

Wouldn't one usually expect files that were previously encrypted to
contain sensitive content (that's probably why content is encrypted at
all)? And if so, shouldn't such files be only readable by certain users /
group of users by default? Otherwise, a file that is e.g. decrypted in
/tmp might leak due to the file permissions being too loose.


GPG seems to just be honoring the umask:



Yes, that's correct. I think, however, that many distros ship umask=0022 by
default. That would be -rw-r--r--.

[...]


Still might be worth fixing though.



I thought so too.


-Dan


Thanks for your feedback so far!

Matthias

-- 
Matthias Weckbecker, Senior Security Engineer, SUSE Security Team
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
Tel: +49-911-74053-0;  http://suse.com/
SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)
Previous By Date Next
Previous By Thread Next

Current thread: