[Pkg-gnupg-maint] Bug#575084: gpg ignores junk in -u parameter

Joachim Breitner nomeata at debian.org
Tue Mar 23 11:14:14 UTC 2010 

Package: gnupg
Version: 1.4.10-2
Severity: minor
File: /usr/bin/gpg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this is probably relatively minor, but given the security importanac of
gpg, I think it would not hurt if gpg would be more picky with regard to
its input:

It seems that
$ gpg --sign --armour -u "4743206C
has the same effect as
$ gpg --sign --armour -u "4743206C junk"
while
$ gpg --sign --armour -u "4743206Cjunk"
is rejected.

I’d expect gpg to complain with the second invocation as well, just to
be on the safe side.

Greetings,
Joachim

- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg                    1.15.5.6         Debian package management system
ii  gpgv                    1.4.10-2         GNU privacy guard - signature veri
ii  install-info            4.13a.dfsg.1-5   Manage installed documentation in 
ii  libbz2-1.0              1.0.5-4          high-quality block-sorting file co
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libreadline6            6.1-1            GNU readline and history libraries
ii  libusb-0.1-4            2:0.1.12-14      userspace USB programming library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages gnupg recommends:
pn  gnupg-curl                    <none>     (no description available)
ii  libldap-2.4-2                 2.4.17-2.1 OpenLDAP libraries

Versions of packages gnupg suggests:
ii  eog                          2.28.2-1    Eye of GNOME graphics viewer progr
pn  gnupg-doc                    <none>      (no description available)
ii  imagemagick                  7:6.6.0.4-1 image manipulation programs
ii  libpcsclite1                 1.5.5-3     Middleware to access a smart card 

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuoooYACgkQ9ijrk0dDIGy6DwCglZMpr94hrBj6JcFP+eIy/vib
ZNUAoJkNWjc7Xl/7reAhfTRwRLz7QctZ
=0bUa
-----END PGP SIGNATURE-----

More information about the Pkg-gnupg-maint mailing list