GnuPG exploit [Fwd: Possible problem with GnuPG 1.0.6]

Philipp Gühring p.guehring@futureware.at
Mon Dec 31 19:46:01 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> This is unrelated to gpg being setuid or not.  It is also somewhat
> unrelated to gpg - *any* setgid program that can write to a file can
> write to a group-writable file with the same group.

Sure *any* setgid program can write to that. But should gpg do it?

Aren't the checks for effective rights there to handle that?

Gpg should handle everything it really needs the rights for (allocating that 
secure memory, ...) with the rights it has. And everything else (like 
reading/writing most of the files) with the rights of the user who called it.
(In Perl checking for that looks like that: 
if( -r file && -w file && -R file && -W file) {overwrite(file);}
)

If GnuPG wants to be setuid root, than it has to be developped to be safe in 
that way.

echo owned | gpg --passphrase-fd 0 -o $i own.gpg

- From gpg --help:
 -o, --output                     Als Ausgabedatei benutzen

It seems to me that the user requests to write to that file, so the rights of 
the user should be checked, in my opinion.

Many greetings,
- -- 
~ Philipp Gühring              p.guehring@futureware.at
~ http://www.livingxml.net/       ICQ UIN: 6588261
~ <xsl:value-of select="file:/home/philipp/.sig"/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8MEnwlqQ+F+0wB3oRAkH0AJ9GLCFPrSUDS3SNBdWiUbRSZfu2XgCfaVW1
dAIzyFquNwWo8whqC/m0ZZk=
=oV9e
-----END PGP SIGNATURE-----