More format string fixes for 1.2.3

Bernd Eckenfels lists at lina.inka.de
Wed Dec 17 11:04:50 CET 2003


On Wed, Dec 17, 2003 at 10:34:54AM +0100, Werner Koch wrote:
> Aiih, probably my mistake when I replaced the old error reporting
> function taking a filename as the first arg.  The changes are not
> critical because the db_name is the name of the trustdb file and the
> code is not run at a state where gpg is run under euid==0.

I hate to repeat Theo, he claimed something like "there are no uncritical
code sections, or uncritical security fixes". You never know how users are
calling gpg from which context, and it may allow priveldge escalation. Sorry
for that rant I am just a bit sensitive since the latest "not exploitable"
patches in Linux.

Bernd
-- 
  (OO)      -- Bernd_Eckenfels at Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes at irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!



More information about the Gnupg-devel mailing list