oss-sec mailing list archives
Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files
From: Solar Designer <solar () openwall com>
Date: Sun, 23 Sep 2012 05:55:09 +0400
On Fri, Sep 21, 2012 at 12:37:00PM +0200, Tomas Mraz wrote:
On Fri, 2012-09-21 at 12:20 +0200, Matthias Weckbecker wrote:# de-crypting % gpg sikrit.gpg % ll sikrit* -rw-r--r-- 1 gp users 12 Sep 17 09:41 sikrit -rw------- 1 gp users 480 Sep 17 09:40 sikrit.gpg
[...]
I suppose the permissions respect the user's umask so I do not think this is a real security issue in the gpg itself. Although using the permissions of the original file when creating the decrypted/encrypted one (still modified with the user's umask) would be more appropriate. So in my opinion this does not warrant a CVE but improvement in the upstream gnupg code would be appreciated I think.
Agreed, and the "still modified with the user's umask" portion is very important. I assume you mean orig.st_mode & ~umask. With open(..., O_CREAT | ..., orig.st_mode) this does not need to be explicit, but with fchmod() it does. (Sorry for stating the obvious, but I am concerned that someone might patch GnuPG to just chmod to the original file's perms ignoring umask, which would be a dangerous change of behavior.) Alexander
Current thread:
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files, (continued)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Steven M. Christey (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Matthias Weckbecker (Sep 25)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 26)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Patrick J. Volkerding (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)