[pkg-gnupg-maint] Bug#1068594: Bug#1068594: gpg: 100% CPU endless loop after mkdir /etc/gnupg/gpg.conf

Sune Stolborg Vuorela sune at debian.org
Mon Apr 8 08:29:49 BST 2024 

Control: tags -1 fixed-upstream
Control: reassign -1 libgpg-error0

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=commitdiff;h=2dc93cfecc7a7b22fd08365a789b8c6c4b8cc36c;hp=92f874e7d1150c44d8c5d4d5e2c2ddf5299e1064

Fixed upstream.

/Sune

On Sunday, April 7, 2024 7:48:07 PM CEST Valentin Hilbig wrote:
> Package: gpg
> Version: 2.4.5-1
> Severity: important
> X-Debbugs-Cc: debian-bug-reply at 03.softkill.org
> 
> Dear Maintainer,
> 
> following creates an endless loop:
> 
> sudo apt install gpg
> sudo mkdir -p /etc/gnupg/gpg.conf
> gpg --version
> 
> Afterwards gpg becomes unusable system wide.
> To create the directory you usually need privileges, however my expectation
> is, that some empty directory like shown above should never do this type of
> harm!
> 
> I mark this important, as this loop affects all gpg processes system wide
> and hence might be used to create a DoS if somebody somehow manages
> to create this file as a directory instead.
> 
> Also the path /etc/gnupg/gpg.conf is not documented in man gpg.
> Undocumented paths should not be exploitable to create harm.
> Hence my expectation is that
> 
> - this file should be documented
> - there should be a way to ignore this file such that gpg does not access
> this file - gpg should ignore errors this file if it is unreadable (like
> being a directory)
> 
> I do not have any expectation about what happens when this is a file which
> includes errors.  This should be part of the documentation.
> 
> I tried to report this upstream, but failed, as I was unable to register.
> 
> The bug affects stable, unstable and experimental and was tested on a VM.
> 
> 
> -- System Information:
> Debian Release: 12.5
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64
> (x86_64)
> 
> Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
> LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to
> /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages gpg depends on:
> ii  gpgconf          2.4.5-1
> ii  libassuan0       2.5.5-5
> ii  libbz2-1.0       1.0.8-5+b1
> ii  libc6            2.36-9+deb12u4
> ii  libgcrypt20      1.10.3-2
> ii  libgpg-error0    1.46-1
> ii  libnpth0t64      1.6-3.1
> ii  libreadline8t64  8.2-4
> ii  libsqlite3-0     3.40.1-2
> ii  zlib1g           1:1.2.13.dfsg-1
> 
> Versions of packages gpg recommends:
> ii  gnupg  2.4.5-1
> 
> gpg suggests no packages.
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-gnupg-maint mailing list
> pkg-gnupg-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnupg-maint


-- 
I didn’t stop pretending when I became an adult, it’s just that when I was a 
kid I was pretending that I fit into the rules and structures of this world. 
And now that I’m an adult, I pretend that those rules and structures exist.
   - zefrank

More information about the pkg-gnupg-maint mailing list