[pkg-gnupg-maint] Bug#835620: Bug#835620: gnupg: setuid to non-root: Ohhhh jeeee: ... this is a bug (../../g10/gpg.c:2010:main)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 30 08:32:59 UTC 2016 

Control: reassign 835620 gnupg1 1.4.20-7

On Sat 2016-08-27 13:01:35 -0400, Valentin Lorentz wrote:
> Running gnupg from a process with setuid to a user different than root
> triggers a bug.
>
> Here is how to reproduce it:
>
>  val at particle:/tmp $ cat foo.c
> #include <unistd.h>
> #include <stdio.h>
> #include <stdlib.h>
>
> void main(int argc, char* argv[]) {
>     printf("%u %u\n", getuid(), geteuid());
>     system("gpg --help");
> }
>  val at particle:/tmp $ sudo gcc foo.c && sudo chown dev-misc:dev-misc
> a.out && sudo chmod u+s a.out
>  val at particle:/tmp $ LANG=C ./a.out
> 1000 1006
>
> gpg: Ohhhh jeeee: ... this is a bug (../../g10/gpg.c:2010:main)
> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
> Aborted

right, this code there looks like this:

0 dkg at alice:~/src/pkg-gnupg/gnupg1/g10$ cat -n gpg.c | head -n 2017 | tail
  2008	    maybe_setuid = 0;
  2009	    /* Okay, we are now working under our real uid */
  2010	
  2011	#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
  2012	    /* There should be no way to get to this spot while still carrying
  2013	       setuid privs.  Just in case, bomb out if we are. */
  2014	    if ( getuid () != geteuid () )
  2015	      BUG();
  2016	#endif
  2017	
0 dkg at alice:~/src/pkg-gnupg/gnupg1/g10$

I believe upstream's goal is to have dropped all privileges here.  But
for some reason that's not happening properly?  Maybe someone from
upstream can comment on the logic here.

That said, i think that trying to run gpg from a setuid program is
probably not a great idea, in terms of opportunities for direct code
execution (as i mentioned over in #835629).  Can you explain your use
case a little better?

Regards,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160830/8505435d/attachment.sig>

More information about the pkg-gnupg-maint mailing list