[Fwd: perl EUID change causing failure]

Marcel Chastain - Security Administration mchastain at ipowerweb.com
Mon Jul 31 22:20:27 CEST 2006


I have a perl wrapper around gpg for use within a web app. It changes 
its 'EUID' (Effective UserID) early in the script.
 From there, it attempts to run
/usr/local/bin/gpg --list-public-keys

My test script:
#!/usr/bin/perl
$ENV{'GNUPGHOME'} = '/home/username/.gnupg';
my $uid = getpwnam("username");
$> = $uid;
print `/usr/local/bin/gpg --list-public-keys`;

The output:
gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main)
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

(replace the word 'username' with a user on your system for testing 
purposes)
Now, this *only* happens when setting the EUID. I can set the 
RealUID($<) and things work perfectly.

Does this have something to do with the code updates mentioned in the 
"What's New" section..? ( 
http://lists.gnupg.org/pipermail/gnupg-announce/2006q2/000226.html )

	User IDs are now capped at 2048 bytes.  This avoids a memory
	allocation attack (see CVE-2006-3082).

Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE .


-- 

#######################
Marcel C.
Security Administration
iPower, Inc.


-------------- next part --------------
An embedded message was scrubbed...
From: Marcel Chastain - Security Administration <mchastain at ipowerweb.com>
Subject: perl EUID change causing failure
Date: Wed, 26 Jul 2006 16:26:48 -0700
Size: 1252
Url: /pipermail/attachments/20060731/90c22ed5/perlEUIDchangecausingfailure-0001.mht


More information about the Gnupg-users mailing list