Bug#492282: "seahorse-agent --execute" leaks file descriptors
Josselin Mouette
joss at debian.org
Sun Jul 27 06:18:43 UTC 2008
clone 492282 -1
severity -1 normal
tag -1 - security
retitle -1 gpgme leaves unused open file descriptors
reassign -1 libgpgme11
tag 492282 + pending
thanks
Le jeudi 24 juillet 2008 à 22:56 +0200, Stefan Fritsch a écrit :
> Seahorse leaks file descriptors to processes started with "seahorse-agent
> --execute", including the gpg agent listening socket. For the default setup,
> this means that all processes started from the desktop inherit those FDs and can
> possibly use them. This can be a security issue because the FDs are also
> inherited to processes started with su as a different user which normally would
> not have access to gpg key and gpg agent socket.
>
> Seahorse should use fcntl to set FD_CLOEXEC on its FDs.
I’ve patched seahorse in our svn to set FD_CLOEXEC on the agent socket.
Other open fds seem to be pipes opened by gpgme to talk to gpg that are
not closed after use. AIUI this is not a security issue.
Cheers,
--
.''`.
: :' : We are debian.org. Lower your prices, surrender your code.
`. `' We will add your hardware and software distinctiveness to
`- our own. Resistance is futile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20080727/cb433759/attachment.pgp
More information about the pkg-gnome-maintainers
mailing list