Package: gpg Version: 2.4.5-1 Severity: important X-Debbugs-Cc: debian-bug-re...@03.softkill.org
Dear Maintainer, following creates an endless loop: sudo apt install gpg sudo mkdir -p /etc/gnupg/gpg.conf gpg --version Afterwards gpg becomes unusable system wide. To create the directory you usually need privileges, however my expectation is, that some empty directory like shown above should never do this type of harm! I mark this important, as this loop affects all gpg processes system wide and hence might be used to create a DoS if somebody somehow manages to create this file as a directory instead. Also the path /etc/gnupg/gpg.conf is not documented in man gpg. Undocumented paths should not be exploitable to create harm. Hence my expectation is that - this file should be documented - there should be a way to ignore this file such that gpg does not access this file - gpg should ignore errors this file if it is unreadable (like being a directory) I do not have any expectation about what happens when this is a file which includes errors. This should be part of the documentation. I tried to report this upstream, but failed, as I was unable to register. The bug affects stable, unstable and experimental and was tested on a VM. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gpg depends on: ii gpgconf 2.4.5-1 ii libassuan0 2.5.5-5 ii libbz2-1.0 1.0.8-5+b1 ii libc6 2.36-9+deb12u4 ii libgcrypt20 1.10.3-2 ii libgpg-error0 1.46-1 ii libnpth0t64 1.6-3.1 ii libreadline8t64 8.2-4 ii libsqlite3-0 3.40.1-2 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages gpg recommends: ii gnupg 2.4.5-1 gpg suggests no packages. -- no debconf information
