GnuPG exploit [Fwd: Possible problem with GnuPG 1.0.6]

David Shaw dshaw@jabberwocky.com
Sun Dec 30 23:59:02 2001 

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 30, 2001 at 04:31:08PM -0300, Renato Martini wrote:

> Hi ALL!
>=20
> I received this "possible problem" in GnuPG code and its exploit...
>=20
> Did anybody here read this forwarded message?

I can't duplicate that here with 1.0.6 or the 1.0.7 from CVS.  I
believe the exploit is in error - if the gpg binary is installed
setGID (set-group-id rather than set-user-id), then it can indeed
overwrite any group-writable file that shares this same group.

This is unrelated to gpg being setuid or not.  It is also somewhat
unrelated to gpg - *any* setgid program that can write to a file can
write to a group-writable file with the same group.

The question to ask is why is gpg being installed setgid on Mandrake
in the first place?  It's not supposed to be, and nothing in the
regular install makes it setgid.

I took a peek at the Mandrake CVS:
   http://www.linux-mandrake.com/cgi-bin/cvsweb.cgi/SPECS/gnupg/gnupg.spec?=
rev=3D1.17&content-type=3Dtext/x-cvsweb-markup

It seems the Mandrake folks already fixed the installation problem on
Tue Oct 23 2001.

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6d-cvs (GNU/Linux)

iQEVAwUBPC+bi4ccwqs8s7QVAQHTvAf/R/cI0YL/jma8r2nm3EBRPWhqWZ7L+IUS
dwIyO7jexIeXftCKIUg6O37u6ghuhus+KJpbwlSQBk+hw+ZJizr6/r3S3wA3SsZh
v2Eceysx9TcMoWmxvfmIjmqteyNBfDRCWkqATt8hsltmk1IXg+I8iNoKNuqfmOcd
wl2e1NSyO8Rx3s3N0KI8MjKYJMWTF33MGPqsqePqD8UyIE89sIjetRV3EYWoCU3G
S2c2RUkmpY+g+iz0JqKVsf2dBFiZ5SKNBue504WSQQ8hzRcQWyBzr5ZXjMtvu/6p
oGeYpCflP0H4aMEqC4k+aWYhNiIXgPjXITEXxxIyUYPuE0ZkAmArVw==
=/umv
-----END PGP SIGNATURE-----

--vtzGhvizbBRQ85DL--