[Fwd: perl EUID change causing failure]

Marcel Chastain - Security Administration mchastain at ipowerweb.com
Tue Aug 1 02:21:44 CEST 2006


Yeah, I already have a workaround in place, I just wanted to report it 
to the community/developers. This is a new bug, and I think they'd be 
interested in why it's happening... Perhaps the gnupg-devel mailing list 
would be better..?



Jonathan Rockway wrote:
> Might I suggest using a pre-implemented perl solution?
>
> Crypt::OpenPGP:
> http://search.cpan.org/~btrott/Crypt-OpenPGP-1.03/lib/Crypt/OpenPGP.pm
> GnuPG::Interface: http://search.cpan.org/~ftobin/GnuPG-Interface-0.33/
>
> And also, GPG, Mail::GPG, Crypt::GPG, or Mail::GnuPG.
>
> http://search.cpan.org/search?query=gpg&mode=all
>
> In other words, other people have already worked out the details, so why
> not try one of those modules before fighting with something that's not
> really worth your time?
>
> Regards,
> Jonathan Rockway
>
>
> Marcel Chastain - Security Administration wrote:
>   
>> I have a perl wrapper around gpg for use within a web app. It changes
>> its 'EUID' (Effective UserID) early in the script.
>> From there, it attempts to run
>> /usr/local/bin/gpg --list-public-keys
>>
>> My test script:
>> #!/usr/bin/perl
>> $ENV{'GNUPGHOME'} = '/home/username/.gnupg';
>> my $uid = getpwnam("username");
>> $> = $uid;
>> print `/usr/local/bin/gpg --list-public-keys`;
>>
>> The output:
>> gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main)
>> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
>>
>> (replace the word 'username' with a user on your system for testing
>> purposes)
>> Now, this *only* happens when setting the EUID. I can set the
>> RealUID($<) and things work perfectly.
>>
>> Does this have something to do with the code updates mentioned in the
>> "What's New" section..? (
>> http://lists.gnupg.org/pipermail/gnupg-announce/2006q2/000226.html )
>>
>>     User IDs are now capped at 2048 bytes.  This avoids a memory
>>     allocation attack (see CVE-2006-3082).
>>
>> Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE .
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> perl EUID change causing failure
>> From:
>> Marcel Chastain - Security Administration <mchastain at ipowerweb.com>
>> Date:
>> Wed, 26 Jul 2006 16:26:48 -0700
>> To:
>> gnupg-devel at gnupg.org
>>
>> To:
>> gnupg-devel at gnupg.org
>>
>>
>> I have a perl wrapper around gpg for use within our company's internal
>> control panel. It changes its 'EUID' (Effective UserID) early in the
>> script.
>> From there, it attempts to run
>> /usr/local/bin/gpg --list-public-keys
>>
>> My test script:
>> #!/usr/bin/perl
>> $ENV{'GNUPGHOME'} = '/home/username/.gnupg';
>> my $uid = getpwnam("username");
>> $> = $uid;
>> print `/usr/local/bin/gpg --list-public-keys`;
>>
>> The output:
>> gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main)
>> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
>>
>> (replace the word 'username' with a user on your system for testing
>> purposes)
>> Now, this *only* happens when setting the EUID. I can set the RealUID
>> and things work perfectly.
>>
>> Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE .
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>   
>>     
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>   

-- 

#######################
Marcel C.
Security Administration
iPower, Inc.





More information about the Gnupg-users mailing list