oss-sec mailing list archives
Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files
From: Matthias Weckbecker <mweckbecker () suse de>
Date: Tue, 25 Sep 2012 11:08:57 +0200
Hi Steve, On Monday 24 September 2012 22:03:20 Steven M. Christey wrote:
FYI, this discussion is an interesting example of what I've called the "snowball effect" in CVE when new kinds of issues arise that test the boundaries of what should or should not belong in CVE - allowing one (or a handful) could open the door to hundreds or thousands of other products that have the same issue.
Well, I think we are already past of this effect: Looking at [1], I could find multiple CVE that have been assigned for such issues. [1] http://cwe.mitre.org/data/definitions/732.html
Personally, I would expect a security/privacy-preserving product to select the most conservative file permissions that it knows won't violate the user's intention; in this case, the permissions of the original "source" file, as further restricted by the user-specified umask. If the user calls gpg with a world-readable file and a "promiscuous" umask, then they
Even if the encrypted file is not world-readable, the result (=decrypted file) is going to be placed world-readable as long as the default umask (=0022) was used. [...]
- Steve
Thanks, Matthias -- Matthias Weckbecker, Senior Security Engineer, SUSE Security Team SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany Tel: +49-911-74053-0; http://suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)
Current thread:
- Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files, (continued)
- Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 21)
- Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Matthias Weckbecker (Sep 24)
- Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Steven M. Christey (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Matthias Weckbecker (Sep 25)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 26)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Patrick J. Volkerding (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)