[pkg-gnupg-maint] Bug#1068594: gpg: 100% CPU endless loop after mkdir /etc/gnupg/gpg.conf

Valentin Hilbig debian-bug-reply at 03.softkill.org
Sun Apr 7 18:48:07 BST 2024 

Package: gpg
Version: 2.4.5-1
Severity: important
X-Debbugs-Cc: debian-bug-reply at 03.softkill.org

Dear Maintainer,

following creates an endless loop:

sudo apt install gpg
sudo mkdir -p /etc/gnupg/gpg.conf
gpg --version

Afterwards gpg becomes unusable system wide.
To create the directory you usually need privileges, however my expectation is,
that some empty directory like shown above should never do this type of harm!

I mark this important, as this loop affects all gpg processes system wide
and hence might be used to create a DoS if somebody somehow manages
to create this file as a directory instead.

Also the path /etc/gnupg/gpg.conf is not documented in man gpg.
Undocumented paths should not be exploitable to create harm.
Hence my expectation is that

- this file should be documented
- there should be a way to ignore this file such that gpg does not access this file
- gpg should ignore errors this file if it is unreadable (like being a directory)

I do not have any expectation about what happens when this is a file which
includes errors.  This should be part of the documentation.

I tried to report this upstream, but failed, as I was unable to register.

The bug affects stable, unstable and experimental and was tested on a VM.


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg depends on:
ii  gpgconf          2.4.5-1
ii  libassuan0       2.5.5-5
ii  libbz2-1.0       1.0.8-5+b1
ii  libc6            2.36-9+deb12u4
ii  libgcrypt20      1.10.3-2
ii  libgpg-error0    1.46-1
ii  libnpth0t64      1.6-3.1
ii  libreadline8t64  8.2-4
ii  libsqlite3-0     3.40.1-2
ii  zlib1g           1:1.2.13.dfsg-1

Versions of packages gpg recommends:
ii  gnupg  2.4.5-1

gpg suggests no packages.

-- no debconf information

More information about the pkg-gnupg-maint mailing list