GnuPG 1.1.90 released
David Shaw
dshaw at jabberwocky.com
Wed Jul 3 02:19:02 CEST 2002
On Tue, Jul 02, 2002 at 05:25:39PM -0500, David Champion wrote:
> * On 2002.07.02, in <20020702214823.GE4624 at akamai.com>,
> * "David Shaw" <dshaw at jabberwocky.com> wrote:
> > On Tue, Jul 02, 2002 at 04:24:09PM -0500, David Champion wrote:
> > >
> > > Please give us a last call before 1.2 releases -- I'd like to lobby
> > > again for a couple of submitted patches before 1.2 goes out.
> >
> > Which ones? I've rolled a few of your patches in already :)
>
> Ah, I had missed the Solaris DSO checkin -- I only read gnupg-commits
> sporadically. Thanks. :)
>
> The other one was the --module-path option. I did this on a whim
> because someone in gnupg-users wanted something like that, but it would
> actually help me out, too -- currently I have to hand-edit g10defs.h
> for every build, since some modules installed at the site are not
> part of the gnupg distribution. (I posted this 6/25 in Message-ID:
> <20020625211733.GC28533 at dust.uchicago.edu>.)
--module-path scares me a little as it can be abused in certain cases
on multiuser systems. For example, say someone sets their module-path
to include a world-writable directory. All an attacker would need to
do is to drop a bogus "idea" or other module in there to subvert the
system.
There is a similar problem with the photo viewers and keyserver
helpers, but these programs are already assumed to be untrusted and/or
potentially hostile (and if someone has a subverted $PATH, then the
attacker could just replace gpg itself).
David
--
David Shaw | dshaw at jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
More information about the Gnupg-devel
mailing list