Your message dated Sat, 27 Apr 2024 06:35:52 +0000
with message-id <[email protected]>
and subject line Bug#1068594: fixed in libgpg-error 1.49-1
has caused the Debian Bug report #1068594,
regarding gpg: 100% CPU endless loop after mkdir /etc/gnupg/gpg.conf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1068594: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068594
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gpg
Version: 2.4.5-1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
following creates an endless loop:
sudo apt install gpg
sudo mkdir -p /etc/gnupg/gpg.conf
gpg --version
Afterwards gpg becomes unusable system wide.
To create the directory you usually need privileges, however my expectation is,
that some empty directory like shown above should never do this type of harm!
I mark this important, as this loop affects all gpg processes system wide
and hence might be used to create a DoS if somebody somehow manages
to create this file as a directory instead.
Also the path /etc/gnupg/gpg.conf is not documented in man gpg.
Undocumented paths should not be exploitable to create harm.
Hence my expectation is that
- this file should be documented
- there should be a way to ignore this file such that gpg does not access this
file
- gpg should ignore errors this file if it is unreadable (like being a
directory)
I do not have any expectation about what happens when this is a file which
includes errors. This should be part of the documentation.
I tried to report this upstream, but failed, as I was unable to register.
The bug affects stable, unstable and experimental and was tested on a VM.
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to C.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gpg depends on:
ii gpgconf 2.4.5-1
ii libassuan0 2.5.5-5
ii libbz2-1.0 1.0.8-5+b1
ii libc6 2.36-9+deb12u4
ii libgcrypt20 1.10.3-2
ii libgpg-error0 1.46-1
ii libnpth0t64 1.6-3.1
ii libreadline8t64 8.2-4
ii libsqlite3-0 3.40.1-2
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages gpg recommends:
ii gnupg 2.4.5-1
gpg suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libgpg-error
Source-Version: 1.49-1
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libgpg-error, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated libgpg-error package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Apr 2024 08:10:16 +0200
Source: libgpg-error
Architecture: source
Version: 1.49-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1068594
Changes:
libgpg-error (1.49-1) experimental; urgency=medium
.
* Team upload.
* New upstream version.
+ Avoids endless-loop on conf file read error. Closes:#1068594
+ Update symbol file.
Checksums-Sha1:
e9a7b1235d5ce168dd1ed8a5c9c2e40ac44c6350 2896 libgpg-error_1.49-1.dsc
28668dc3f693dfd8fa6724c702559e45ab5b15c0 1081175 libgpg-error_1.49.orig.tar.bz2
0ed11962cdf6f057309400ebebd2b116f4d114ee 228 libgpg-error_1.49.orig.tar.bz2.asc
8962a5425ba6c45ebd6156900b584072354408d2 18780
libgpg-error_1.49-1.debian.tar.xz
Checksums-Sha256:
21c1069c056678f3cf1ffa8c210efefc9d7df128fe3c814f7140de9b6ef88abc 2896
libgpg-error_1.49-1.dsc
8b79d54639dbf4abc08b5406fb2f37e669a2dec091dd024fb87dd367131c63a9 1081175
libgpg-error_1.49.orig.tar.bz2
2b781c0b6cd865c28ec1006cf9fb4390303b2d52ffc7ed09bcb58a01348ef870 228
libgpg-error_1.49.orig.tar.bz2.asc
1a4543c3df656d327e52b23132141b27c2d8776eda592f084451e1a6a43f7b67 18780
libgpg-error_1.49-1.debian.tar.xz
Files:
0cc6aa943c14bb60c5085fa161044b29 2896 libs optional libgpg-error_1.49-1.dsc
9ea45a130048f9c35adb6f4dbf3d92e1 1081175 libs optional
libgpg-error_1.49.orig.tar.bz2
79b08c55ae36c7f52f68aa2a406875db 228 libs optional
libgpg-error_1.49.orig.tar.bz2.asc
01a35f4e8c5c2d538f97a70791db98a6 18780 libs optional
libgpg-error_1.49-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmYsl4EACgkQpU8BhUOC
FISlsBAAlHp//DR6zFcyvRxyOh/vCjVgpKNUrsrrYkgm/7xGZ+9WGVvdqPHqzTnZ
hVJhhTyJD7sS6L8svnHAE0bD5NkqQvg2CUmBJ5XxxXxGSVn1C7oviIoD/igBuXC0
5pIdXdacUlOxZ/0MB+7YEYiFJlY3+mJn6lEvk5O70S/zUwSHy9XNSRPLJTmElBnO
3ZFFy9Tcd5yHZst8YnoysiV09Jme3Ti1ADXbGmU/doTOJ55VXw/6hwZs+c4UQTOE
1MP2l+cp4GYgu14fwHhLGRN0CxWC1BODGxd3GXgnrZf8g1nYdjADnWy1XSltUyJM
2n64XW59wa3LSYBViweAkSiIiPbtW5zvJ/Miv+SCElv3Nq/xMQ/C/D8YVJcQXVeN
hJxkUO4MHRcwSiTEG6n3qsG8HwZ66n1tnWJ8sAjGtMMv866Qp8x0aoai8nfYoH+e
waVr/llY6h9Pr6xQFR5BxAXWksgDG15uc8Z2rN908MDenVG+ZJVnGuid5bHpf9SG
Zkn9vq/nX/34vDXvPYDpiGGAllZTQAarU9S8bbSdKcSwKa6vNoQXLFfhWYzbbbaU
U33SIHL4NBzPBt8ZJd/Pb0I2Awfn84EhS9OntBmwK3Q3k8k/EAoXZxmtBT3bN+AM
K60Bi/JH72UhJowg/si5omosybzvVNqwdOyBPR+Af8MOVKV9IE0=
=0vjr
-----END PGP SIGNATURE-----
pgppDiArmn_sY.pgp
Description: PGP signature
--- End Message ---
