Control: tags -1 fixed-upstream Control: reassign -1 libgpg-error0 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=commitdiff;h=2dc93cfecc7a7b22fd08365a789b8c6c4b8cc36c;hp=92f874e7d1150c44d8c5d4d5e2c2ddf5299e1064
Fixed upstream. /Sune On Sunday, April 7, 2024 7:48:07 PM CEST Valentin Hilbig wrote: > Package: gpg > Version: 2.4.5-1 > Severity: important > X-Debbugs-Cc: debian-bug-re...@03.softkill.org > > Dear Maintainer, > > following creates an endless loop: > > sudo apt install gpg > sudo mkdir -p /etc/gnupg/gpg.conf > gpg --version > > Afterwards gpg becomes unusable system wide. > To create the directory you usually need privileges, however my expectation > is, that some empty directory like shown above should never do this type of > harm! > > I mark this important, as this loop affects all gpg processes system wide > and hence might be used to create a DoS if somebody somehow manages > to create this file as a directory instead. > > Also the path /etc/gnupg/gpg.conf is not documented in man gpg. > Undocumented paths should not be exploitable to create harm. > Hence my expectation is that > > - this file should be documented > - there should be a way to ignore this file such that gpg does not access > this file - gpg should ignore errors this file if it is unreadable (like > being a directory) > > I do not have any expectation about what happens when this is a file which > includes errors. This should be part of the documentation. > > I tried to report this upstream, but failed, as I was unable to register. > > The bug affects stable, unstable and experimental and was tested on a VM. > > > -- System Information: > Debian Release: 12.5 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, > 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 > (x86_64) > > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to > /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages gpg depends on: > ii gpgconf 2.4.5-1 > ii libassuan0 2.5.5-5 > ii libbz2-1.0 1.0.8-5+b1 > ii libc6 2.36-9+deb12u4 > ii libgcrypt20 1.10.3-2 > ii libgpg-error0 1.46-1 > ii libnpth0t64 1.6-3.1 > ii libreadline8t64 8.2-4 > ii libsqlite3-0 3.40.1-2 > ii zlib1g 1:1.2.13.dfsg-1 > > Versions of packages gpg recommends: > ii gnupg 2.4.5-1 > > gpg suggests no packages. > > -- no debconf information > > _______________________________________________ > pkg-gnupg-maint mailing list > pkg-gnupg-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnupg-maint -- I didn’t stop pretending when I became an adult, it’s just that when I was a kid I was pretending that I fit into the rules and structures of this world. And now that I’m an adult, I pretend that those rules and structures exist. - zefrank