gnupg-1.0.2 patch: LC_CTYPE needs to be imported

Werner Koch wk@gnupg.org
Thu, 17 Aug 2000 15:50:39 +0200


On Thu, 17 Aug 2000, Edmund GRIMLEY EVANS wrote:


> > not to allow overlong UTF-8 encodings to give a different encoding for
> > the standard ASCII characters like LF or BS.
>
> Is that check definitely necessary, or you just being extra careful?
Yes. Otherwise I won't need the print_string functions which are used to filter such things out. Assuming the user sits on some standard terminal you can create GPG messages which fake the out: e.g. you apply a faked user ID to a key and bvy using control sequences you overwrite the warning GPG gives or you use the control sequences in Notation data to replace GnuPG's BAD SIGNATURE message by "Good signature". There are probably a lot more attacks possible. Bruce Schneier talked about such issues in of his last CrytoGrams and Markus Kuhn gave additional information in the last CryptoGram.
> annoyances and always do the same thing when you get EILSEQ: output
> the original octet as ? or quoted and advance the input pointer.
Okay, I will see whether I can get this into the next release.
> dnl (2) In glibc-2.1.2 and earlier there is a bug that messes up ob and
> dnl obl when args 2 and 3 are 0 (fixed in glibc-2.1.3).
Thanks. Werner -- Werner Koch GnuPG key: 621CC013 OpenIT GmbH http://www.OpenIT.de