Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 21 Sep 2012 12:41:26 +0200
From: Matthias Weckbecker <mweckbecker@...e.de>
To: oss-security@...ts.openwall.com
Cc: Dan Rosenberg <dan.j.rosenberg@...il.com>, vcizek@...e.de,
	tmraz@...hat.com
Subject: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files

On Friday 21 September 2012 12:35:49 Dan Rosenberg wrote:
[...]
> >
> > [1] https://bugzilla.novell.com/show_bug.cgi?id=780943
> >
> > Wouldn't one usually expect files that were previously encrypted to
> > contain sensitive content (that's probably why content is encrypted at
> > all)? And if so, shouldn't such files be only readable by certain users /
> > group of users by default? Otherwise, a file that is e.g. decrypted in
> > /tmp might leak due to the file permissions being too loose.
>
> GPG seems to just be honoring the umask:
>

Yes, that's correct. I think, however, that many distros ship umask=0022 by
default. That would be -rw-r--r--.

[...]
>
> Still might be worth fixing though.
>

I thought so too.

> -Dan

Thanks for your feedback so far!

Matthias

-- 
Matthias Weckbecker, Senior Security Engineer, SUSE Security Team
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
Tel: +49-911-74053-0;  http://suse.com/
SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.