Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
* Thu Mar 8 2007 Christoph Berg <cb@xxxxxxxx>
> ----- Forwarded message from Jö Fahlke <jorrit@xxxxxxxxx> -----
> Core Securities advisory:
> http://www.coresecurity.com/?action=item&id=1687
>
> Announcement on the GnuPG mailinglist:
> http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html
>
> I was able to verify that the second way of attack variant 2 decribed
> by Core Security does indeed work with mutt from testing. A testcase
> is attached.
I don't know whether this is a bug in mutt or not,
but here is a sample shell script to count messages.
Because the latest GnuPG/GPGME already fixed it,
I don't think mutt has to take care of it.
--
tamo
diff -r 5de130a3cb96 contrib/gpgdecode.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/contrib/gpgdecode.sh Fri Mar 09 13:40:07 2007 +0900
@@ -0,0 +1,35 @@
+#!/bin/sh
+# Usage: set pgp_decode_command="gpgverify.sh %f"
+
+################## DANGEROUS ##################
+# This script stores decrypted text as a file #
+###############################################
+
+# we use /tmp
+gpg_status=`mktemp /tmp/mutt-gpgstatus.XXXXXX` || exit 1
+gpg_text=`mktemp /tmp/mutt-gpgstatus.XXXXXX` || exit 1
+
+/usr/bin/gpg --status-fd=2 --passphrase-fd 0 --no-verbose --quiet --batch
--output - "$1" >"$gpg_text" 2>"$gpg_status"
+gpg_returnval="$?"
+if [ "x$gpg_returnval" != "x0" ]; then
+ rm -f "$gpg_status"
+ rm -f "$gpg_text"
+ exit 1 #"$gpg_returnval"
+fi
+
+# grep -c counts plaintext messages
+gpg_msgnum=`grep -c '^[[]GNUPG:[]]\ PLAINTEXT ' "$gpg_status"`
+if [ "x$gpg_msgnum" != "x1" ]; then
+ echo "$gpg_msgnum plaintext messages detected" >&2
+ rm -f "$gpg_status"
+ rm -f "$gpg_text"
+ exit 1
+fi
+
+cat "$gpg_status" >&2
+rm -f "$gpg_status"
+
+cat "$gpg_text"
+rm -f "$gpg_text"
+exit 0
+
diff -r 5de130a3cb96 m4/gpgme.m4
--- a/m4/gpgme.m4 Wed Mar 07 12:18:34 2007 -0800
+++ b/m4/gpgme.m4 Fri Mar 09 13:57:20 2007 +0900
@@ -37,7 +37,7 @@ dnl
dnl
AC_DEFUN([AM_PATH_GPGME],
[ AC_REQUIRE([_AM_PATH_GPGME_CONFIG])dnl
- tmp=ifelse([$1], ,1:0.4.2,$1)
+ tmp=ifelse([$1], ,1:1.1.4,$1)
if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
req_gpgme_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'`
min_gpgme_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'`