Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection

To: Mutt Developers <mutt-dev@xxxxxxxx>
Subject: Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
From: TAKAHASHI Tamotsu <ttakah@xxxxxxxxxxxxxxxxx>
Date: Fri, 9 Mar 2007 14:15:58 +0900
In-reply-to: <20070308222833.GH22842@xxxxxxxx>
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
Mail-followup-to: Mutt Developers <mutt-dev@xxxxxxxx>
References: <mutt-pr-2839@xxxxxxxxxxxxx> <E1HPQzN-000061-Vi@xxxxxxxxxxxxxxxxxxxx> <20070308222833.GH22842@xxxxxxxx>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.13 (2007-01-09)

* Thu Mar  8 2007 Christoph Berg <cb@xxxxxxxx>
> ----- Forwarded message from Jö Fahlke <jorrit@xxxxxxxxx> -----
> Core Securities advisory:
> http://www.coresecurity.com/?action=item&id=1687
> 
> Announcement on the GnuPG mailinglist:
> http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html
> 
> I was able to verify that the second way of attack variant 2 decribed
> by Core Security does indeed work with mutt from testing.  A testcase
> is attached.

I don't know whether this is a bug in mutt or not,
but here is a sample shell script to count messages.
Because the latest GnuPG/GPGME already fixed it,
I don't think mutt has to take care of it.

-- 
tamo

diff -r 5de130a3cb96 contrib/gpgdecode.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/contrib/gpgdecode.sh      Fri Mar 09 13:40:07 2007 +0900
@@ -0,0 +1,35 @@
+#!/bin/sh
+# Usage: set pgp_decode_command="gpgverify.sh %f"
+
+################## DANGEROUS ##################
+# This script stores decrypted text as a file #
+###############################################
+
+# we use /tmp
+gpg_status=`mktemp /tmp/mutt-gpgstatus.XXXXXX` || exit 1
+gpg_text=`mktemp /tmp/mutt-gpgstatus.XXXXXX` || exit 1
+
+/usr/bin/gpg   --status-fd=2 --passphrase-fd 0 --no-verbose --quiet --batch 
--output - "$1" >"$gpg_text" 2>"$gpg_status"
+gpg_returnval="$?"
+if [ "x$gpg_returnval" != "x0" ]; then
+  rm -f "$gpg_status"
+  rm -f "$gpg_text"
+  exit 1 #"$gpg_returnval"
+fi
+
+# grep -c counts plaintext messages
+gpg_msgnum=`grep -c '^[[]GNUPG:[]]\ PLAINTEXT ' "$gpg_status"`
+if [ "x$gpg_msgnum" != "x1" ]; then
+  echo "$gpg_msgnum plaintext messages detected" >&2
+  rm -f "$gpg_status"
+  rm -f "$gpg_text"
+  exit 1
+fi
+
+cat "$gpg_status" >&2
+rm -f "$gpg_status"
+
+cat "$gpg_text"
+rm -f "$gpg_text"
+exit 0
+
diff -r 5de130a3cb96 m4/gpgme.m4
--- a/m4/gpgme.m4       Wed Mar 07 12:18:34 2007 -0800
+++ b/m4/gpgme.m4       Fri Mar 09 13:57:20 2007 +0900
@@ -37,7 +37,7 @@ dnl
 dnl
 AC_DEFUN([AM_PATH_GPGME],
 [ AC_REQUIRE([_AM_PATH_GPGME_CONFIG])dnl
-  tmp=ifelse([$1], ,1:0.4.2,$1)
+  tmp=ifelse([$1], ,1:1.1.4,$1)
   if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
      req_gpgme_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
      min_gpgme_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'`

References:
- Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection vulnerability
  - From: Christoph Berg
- Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
  - From: Christoph Berg

Prev by Date: Re: imap/2837: MYRIGHTS not understood by Mirapoint IMAP4PROXY
Next by Date: mutt: 2 new changesets
Previous by thread: Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
Next by thread: [PATCH] Make manual validate against DocBook 4.2 DTD
Index(es):
- Date
- Thread