View Issue Details

IDProjectCategoryView StatusLast Update
0001200Main CAcert WebsiteGPG/PGPpublic2014-02-22 07:21
Reporteransgar Assigned ToBenBE  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2013 Q3 
Target Version2013 Q3Fixed in Version2013 Q3 
Summary0001200: uses configuration files from world-writable directory
DescriptionFrom www/gpg.php:
----
$debugpg = $gpg = trim(`gpg --with-colons --homedir /tmp 2>&1 < $tnam`);
----

Besides `...` always being bad, one shouldn't trust configuration files from a world-writable location such as /tmp. Also the output of this command is fully controlled by the input and shouldn't be trusted at all.

Ansgar
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0001206 closedwytze gpg signing does't work 

Activities

NEOatNHNG

2013-08-07 00:53

administrator   ~0004216

I have adjusted the code so that a freshly created temporary directory is used a gpg homedir instead of just /tmp/ which should avoid users giving a false configuration file. Also I rewrote the code so that it doesn't store the key into a temporary file on disk but uses the STDIN directly (which should avoid any remaining race conditions and is more efficient).

Please test and review.

BenBE

2013-08-07 20:12

updater   ~0004218

Patch generally okay, but I'd be more confident about this if proper validation of the returned directory name (does it exist and suffice the pattern?) was done. Also The removal of the temporary directory should be monitored properly to report failed cleanups to the error log.

INOPIAE

2013-08-07 20:31

updater   ~0004220

Last edited: 2013-08-09 05:13

View 3 revisions

While trying to create a new gpg key I get this error statement:
There was an error parsing your key.
=>fail

BenBE

2013-08-08 05:53

updater   ~0004221

There was also a missing $ sign in one condition which is now fixed. Please try again.

INOPIAE

2013-08-09 05:13

updater   ~0004223

The error still exists:
While trying to ctreate a new gpg key I get this error statement:
There was an error parsing your key.
=>fail

INOPIAE

2013-08-10 03:44

updater   ~0004225

Now it works.
I could create a GPG-Key
=>ok

MartinGummi

2013-08-13 20:50

updater   ~0004226

Now Works
i got a signed GPG-key

=> ok

NEOatNHNG

2013-08-25 22:45

administrator   ~0004253

Mail sent to critical admins.

wytze

2013-08-29 10:28

developer   ~0004263

The patch has been installed on the production server on August 29, 2013. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2013-08/msg00005.html

Issue History

Date Modified Username Field Change
2013-08-03 15:41 ansgar New Issue
2013-08-06 20:06 BenBE Assigned To => BenBE
2013-08-06 20:06 BenBE Status new => confirmed
2013-08-06 20:06 BenBE Product Version => 2013 Q3
2013-08-06 23:50 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable ddfbfc34
2013-08-06 23:50 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 79a582ee
2013-08-07 00:53 NEOatNHNG Reviewed by => NEOatNHNG
2013-08-07 00:53 NEOatNHNG Note Added: 0004216
2013-08-07 00:53 NEOatNHNG Status confirmed => needs review & testing
2013-08-07 00:55 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 49c75d71
2013-08-07 00:55 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 359e6dac
2013-08-07 01:10 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable cd10afce
2013-08-07 01:10 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable a733a971
2013-08-07 20:12 BenBE Note Added: 0004218
2013-08-07 20:31 INOPIAE Note Added: 0004220
2013-08-07 20:31 INOPIAE Note Edited: 0004220 View Revisions
2013-08-08 05:50 BenBE Source_changeset_attached => cacert-devel testserver-stable 74d4bb0d
2013-08-08 05:50 BenBE Source_changeset_attached => cacert-devel testserver-stable be962501
2013-08-08 05:53 BenBE Note Added: 0004221
2013-08-09 05:13 INOPIAE Note Edited: 0004220 View Revisions
2013-08-09 05:13 INOPIAE Note Added: 0004223
2013-08-10 03:44 INOPIAE Note Added: 0004225
2013-08-13 20:50 MartinGummi Note Added: 0004226
2013-08-13 20:57 BenBE Reviewed by NEOatNHNG => NEOatNHNG, BenBE
2013-08-13 20:57 BenBE Status needs review & testing => ready to deploy
2013-08-13 20:57 BenBE Target Version => 2013 Q3
2013-08-25 22:30 NEOatNHNG Source_changeset_attached => cacert-devel release e40fba18
2013-08-25 22:45 NEOatNHNG Note Added: 0004253
2013-08-29 10:28 wytze Note Added: 0004263
2013-08-29 10:28 wytze Status ready to deploy => solved?
2013-08-29 10:28 wytze Fixed in Version => 2013 Q3
2013-08-29 10:28 wytze Resolution open => fixed
2013-09-10 17:48 Uli60 Relationship added related to 0001206
2013-11-20 22:21 NEOatNHNG View Status private => public
2014-02-22 07:21 INOPIAE Status solved? => closed