Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 4 Jul 2022 15:05:10 +0200
From: Noel Kuntze <noel.kuntze@...rmi.consulting>
To: oss-security@...ts.openwall.com,
 Peter van Dijk <peter.van.dijk@...erdns.com>
Subject: Re: DO NOT OPEN PREVIOUS MAIL Re: 
 Denial of service in GnuPG

Hi Peter,

It's really not that deep.
The attachement is not named after the naming scheme expected of signatures of emails so clients won't try to process it in the context of opening or verifying an email.
I had to call gpg locally on the attached fiels to reproduce the issue.

But I agree that attaching such files that could be read by clients directly is not a good move.

Kind regards
Noel

Am 04.07.22 um 14:15 schrieb Peter van Dijk:
> Hello,
>
>> On 04/07/2022 07:31 Demi Marie Obenour <demi@...isiblethingslab.com> wrote:
>>
>> Signature (of /dev/null) that triggers this bug is attached, along with
>> the corresponding public key.
> This is insane. You can't send weaponised exploits that crash email clients to public mailing lists. Please do not do this again.
>
> Peter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.