A forgotten patch?

Alexander E. Fischer aef at raxys.net
Sat Feb 28 03:02:37 CET 2015


I recently came to know that Felix von Leitner (Fefe) did a code audit
of GnuPG in 2009. According to him, the patch fixes lots of problems
that might be usable as in attack vectors on GnuPG. It seems however, as
if this patch was never included into upstream GnuPG. Because of that,
he keeps maintaining his patch and offers it freely on his personal
website [1].

Although I don't know him personally, as far I know, Felix von Leitner
is a professional code security auditor and a reputable member of the
Chaos Computer Club. In earlier releases of GnuPG he was even mentioned
for supporting the project [2].

What are the reasons which lead to the patch never being applied?
Is there any archived discussion available about that topic?
Have the problems addressed by the patch been fixed otherwise?

[1]: https://www.fefe.de/

Kind regards

Alexander E. Fischer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20150228/bc936103/attachment.sig>

More information about the Gnupg-users mailing list