Package: onak Version: 0.3.2-1.1 [output of reportbug at the end]
Some adventurous programmers I know are working on a system that uses PGP certificate user ids in unusual ways. Some of the userids are essentially URIs in this system. The system needed to talk to a local keyserver, so we set one up using onak and mathopd, which was easy and worked very well, but this led to us finding a minor little bug in onak. When a remote client requests a lookup of a key to which are attached user ids containing the ':' (colon) character, onak does not escape the colon in its response, which results in the user seeing an incorrect user id. This would also affect normal user id comments and other strings in user ids that might contain colons, even for user ids that are not URI-like. DETAILS: For example, if onak's data contains a key with the userid ssh://example.org attached, and a user issues the command: # gpg --keyserver my.onak.example.org --search-keys example The response comes back: gpg: searching for "example" from hkp server my.onak.example.org (1) ssh 2048 bit RSA key ADF1B2A9757DEC5F003051A265EDC684428B63AA, created: 2008-06-20 where it should be: gpg: searching for "example" from hkp server my.onak.example.org (1) ssh://example.org 2048 bit RSA key ADF1B2A9757DEC5F003051A265EDC684428B63AA, created: 2008-06-20 Everything after the colon was truncated in the response, which could be a problem when distinguishing a key from another by looking at its user id. One can see the unescaped colon here in onak's response to a wget query: # wget -q -O- 'http://my.onak.example.org:11371/pks/lookup?op=index&options=mr&search=example' info:1:1 pub:ADF1B2A9757DEC5F003051A265EDC684428B63AA:1:2048:1213945978:: uid:ssh://example.org Whereas from other keyservers the response would have been something like info:1:1 pub:ADF1B2A9757DEC5F003051A265EDC684428B63AA:1:2048:1213945978:: uid:ssh%3A//example.org The above was confirmed by checking public keyservers known to be running other keyserver software. Presumably this affects other characters besides colon, but I have not checked, and it might not be relevant, as colons seem to be used as delimiters by the recipient (gpg in this case). Thanks for listening, keep up the good work. --mjgoins -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-powerpc Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages onak depends on: ii adduser 3.102 Add and remove users and groups ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [ Versions of packages onak recommends: ii mathopd [httpd] 1.5p5-1 Very small, yet very fast
signature.asc
Description: Digital signature