gpg issue

John A Meinel john at arbash-meinel.com
Wed Feb 15 01:09:28 GMT 2006 

Robert Collins wrote:
> On Tue, 2006-02-14 at 15:04 -0600, John A Meinel wrote:
> 
>> You are right that it is a problem with pinentry, but it is how gpg is
>> using gpg-agent who is using pinentry.
>> Doing:
>>
>> echo "foo" | gpg --clearsign
>>
>> Fails because pinentry cannot prompt the user
>>
>> echo "foo" | gpg --no-use-agent --clearsign
>>
>> Does successfully prompt me for a password.
>>
>> Do we need a temp dir, or just a temp file? Because by default a temp
>> file is created as 0600, so other people can't read it anyway.
> 
> open file foo mode 0600
> write content to be signed
> close file foo
> -attacker calls 'mv' and replaces the file with hostile content
> gpg opens file foo
> gpg signs bad content
> gpg writes output file foo.asc
> -attacker copies foo.asc and now has your signature on arbitrary data.

Actually, we don't close the file until we are done, (because it uses
NamedTemporaryFile which deletes itself).

But you are write, that it could be overwritten if someone was trying
really hard, and timed it just right. So I'll put it in a temporary
write only by me directory.

...

> 
> I'm ok with a temporary dir. The steps above should show why a temporary
> file is unsafe for this use. It seems rather ugly though, and its only
> pinentry I've heard of having this issue in ~2.5 years of dealing with
> gpg wrappers of various sorts.

I guess I'll agree enough with that. I wasn't able to find a specific
bugtracker for pinentry.

> 
>> I need some sort of workaround, and I don't think I can easily do it
>> with a plugin. Though I guess I can write a plugin for a new GPGStrategy.
> 
> You can do that, but I agree that you should not have to.

Well, it was easy enough to do so. And you convinced me enough that it
shouldn't be part of the core of bzr for security purposes.

...

> 
> I'm concerned that we will open up ourselves to security issues if we
> are not extremely careful. I'd *prefer* that you file a bug on pinentry
> and see if thats considered problematic by the gpg/pinentry whoever
> maintain it folk. But if its by design, then we should handle it
> correctly inside bzr. As for the best way to do that, one would be to
> have 'gpg_signing_command=pinentry' trigger the use of a custom gpg
> strategy, another is to change it for all callers. I'm not sure which is
> cleaner at this point, I think you should make that call. I will note
> that on systems without good mode control the security risks of
> temporary files are much higher, and that should be taken into
> consideration when evaluating this.
> 
> Rob
> 

If I just have it as a plugin, then people can grab it if they have the
problem. I'm doing the temporary directory (which has mode 700), and a
temporary file (which has mode 600). So it should be reasonably okay.

The closest thing I found to a bug tracker was:
http://intevation.de/roundup/aegypten/

Which has one bug that mentions needing GPG_TTY to be set. But I didn't
see anything about *who* was supposed to be setting it. I did submit a
bug myself (issue 486).

I still think the plugin is necessary for backwards compatibility, even
if they fix the bug. But it certainly can just be a plugin that we tell
people to install if they need it. (and if enough people need it, we can
promote it to a configuration option).

John
=:->

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060214/e99d617a/attachment.pgp

More information about the bazaar mailing list