<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div>Dear Ben,</div><div><br></div><div>Thanks for the update.</div><div><br></div><div>Regards,</div><div><br></div><div>Vinay Sajip</div><div><br></div>
<div id="ydpf2e5569fyahoo_quoted_1718660901" class="ydpf2e5569fyahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Monday, 19 March 2018, 04:11:03 GMT, ben@adversary.org <ben@adversary.org> wrote:
</div>
<div><br></div>
<div><br></div>
<div>On Sun, Mar 18, 2018 at 05:07:02PM +0000, Vinay Sajip via Gnupg-devel wrote:<br clear="none">> Dear Ben,<br clear="none">> I am the maintainer of the python-gnupg package. This section about<br clear="none">> it in your HOWTO is, I believe, incorrect: "Unfortunately it has<br clear="none">> been beset by a number of security issues, most of which stemmed<br clear="none">> from using unsafe methods of accessing the command line via the<br clear="none">> subprocess calls."<br clear="none"><br clear="none">I've amended it to indicate that that was the case in the past, but<br clear="none">that efforts have been made to mitigate that.<br clear="none"><br clear="none">> At one time this was true - the subprocess calls in early versions<br clear="none">> were made with shell=True and therefore subject to injection<br clear="none">> attacks. However, this has not been the case for quite some time -<br clear="none">> subprocess is currently called with shell=False and not (as far as I<br clear="none">> know) insecure in the way you describe.<br clear="none"><br clear="none">The HOWTO was mainly referring to the old shell=True issues and the<br clear="none">current change should address that in context.<br clear="none"><br clear="none">> You also say "most of which stemmed from using unsafe methods of<br clear="none">> accessing the command line" - what were the *other* security issues,<br clear="none">> and where were they raised / who raised them?<br clear="none"><br clear="none">That also referred to the code you added to prevent certain types of<br clear="none">operators being used to inject code even via shell=False, but without<br clear="none">going into the full details in what's essentially a short summary.<br clear="none"><br clear="none">So the "who" there would be you and looking at things like the<br clear="none">"UNSAFE" regex mitigation you have on line 93 of the current code. ;)<br clear="none"><br clear="none">> Obviously, I want to ensure that python-gnupg has no avoidable<br clear="none">> security issues, so your feedback would be helpful in achieving<br clear="none">> this.<br clear="none"><br clear="none">Fair enough. I know I've commented on a few past logged issues, but<br clear="none">it has been a while (I got distracted by, well, by this project).<br clear="none"><br clear="none">> I would also be grateful if you updated your HOWTO to remove the<br clear="none">> inaccuracy about python-gnupg.<br clear="none"><br clear="none">Done. Though I stopped short of giving it the complete all clear on<br clear="none">the grounds that there hasn't been a full audit of the project<br clear="none">recently. I don't think it'll do bad things, but that's not the same<br clear="none">as knowing for sure.<br clear="none"><br clear="none">Also, I stopped using it before the shell changes were made, so I'm<br clear="none">not across the most recent updates. For my own projects I briefly<br clear="none">used the, now very defunct, PyCrypto library (before the project<br clear="none">died), and then switched to my port of pyme and its brief appearance<br clear="none">as pyme3 in 2015. Then ultimately updated to the current bindings<br clear="none">after Justus worked his magic on pyme3 to make them this thing.<br clear="none"><br clear="none">I think the last time I really looked at python-gnupg was around the<br clear="none">time support was added for enabling multiple signatures of a single<br clear="none">file or message. I vaguely recall citing my own key transition<br clear="none">statement as the use case for someone else's feature request. So that<br clear="none">was clearly a while ago.<div class="ydpf2e5569fyqt5422117051" id="ydpf2e5569fyqtfd13469"><br clear="none"><br clear="none"><br clear="none">Regards,<br clear="none">Ben</div></div>
</div>
</div></div></body></html>