OT egpg evaluation

flapflap flapflap at riseup.net
Sun May 8 14:09:14 CEST 2016

Robert J. Hansen:
> And at that point I decided that I *will not* test this code.  If
> WORKDIR is set in the user's environment before they start egpg, egpg
> will shred and rm -rf $WORKDIR.  This could have terrifying consequences
> for my doctoral thesis, and even worse if someone has WORKDIR set to
> something like /.
> I found a potentially *system-destroying bug* in literally the *very
> first function I inspected*.  I've been very circumspect in my
> criticisms until now, Dashamir, because I really want to encourage
> people to hack on things.  But it took me under seven minutes to
> discover a bug that will destroy a user's hard drive, and that is not
> the sort of thing which inspires trust in your code.
> Now do you understand why so many people here are getting upset about
> you recommending this package for inclusion in live Debian images,
> recommending it to new users, etc.?

Another thing I've seen by skimming through the sources are problems
with input sanitisation:  if the input (e.g., file name) starts with "-"
or "--" it's interpreted as commands (for that reason, most unix tools
accept a "--" argument to interpret all following args as input/file
names, not as commands). I wasn't able to find a working shellcode
injection though, but I also didn't look at it with much care.
I really don't think that bash is the right language here...

More information about the Gnupg-users mailing list