gnupg-1.0.2 patch: LC_CTYPE needs to be imported
Werner Koch
wk@gnupg.org
Thu, 17 Aug 2000 15:50:39 +0200
On Thu, 17 Aug 2000, Edmund GRIMLEY EVANS wrote:
> > not to allow overlong UTF-8 encodings to give a different encoding for
> > the standard ASCII characters like LF or BS.
>
> Is that check definitely necessary, or you just being extra careful?
Yes. Otherwise I won't need the print_string functions which are used
to filter such things out. Assuming the user sits on some standard
terminal you can create GPG messages which fake the out: e.g. you
apply a faked user ID to a key and bvy using control sequences you
overwrite the warning GPG gives or you use the control sequences in
Notation data to replace GnuPG's BAD SIGNATURE message by "Good
signature".
There are probably a lot more attacks possible. Bruce Schneier talked
about such issues in of his last CrytoGrams and Markus Kuhn gave
additional information in the last CryptoGram.
> annoyances and always do the same thing when you get EILSEQ: output
> the original octet as ? or quoted and advance the input pointer.
Okay, I will see whether I can get this into the next release.
> dnl (2) In glibc-2.1.2 and earlier there is a bug that messes up ob and
> dnl obl when args 2 and 3 are 0 (fixed in glibc-2.1.3).
Thanks.
Werner
--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de