|
Message-Id: <201209211241.27240.mweckbecker@suse.de> Date: Fri, 21 Sep 2012 12:41:26 +0200 From: Matthias Weckbecker <mweckbecker@...e.de> To: oss-security@...ts.openwall.com Cc: Dan Rosenberg <dan.j.rosenberg@...il.com>, vcizek@...e.de, tmraz@...hat.com Subject: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files On Friday 21 September 2012 12:35:49 Dan Rosenberg wrote: [...] > > > > [1] https://bugzilla.novell.com/show_bug.cgi?id=780943 > > > > Wouldn't one usually expect files that were previously encrypted to > > contain sensitive content (that's probably why content is encrypted at > > all)? And if so, shouldn't such files be only readable by certain users / > > group of users by default? Otherwise, a file that is e.g. decrypted in > > /tmp might leak due to the file permissions being too loose. > > GPG seems to just be honoring the umask: > Yes, that's correct. I think, however, that many distros ship umask=0022 by default. That would be -rw-r--r--. [...] > > Still might be worth fixing though. > I thought so too. > -Dan Thanks for your feedback so far! Matthias -- Matthias Weckbecker, Senior Security Engineer, SUSE Security Team SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany Tel: +49-911-74053-0; http://suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.