[pkg-gnupg-maint] Bug#1068594: Bug#1068594: gpg: 100% CPU endless loop after mkdir /etc/gnupg/gpg.conf
Sune Stolborg Vuorela
sune at debian.org
Mon Apr 8 08:29:49 BST 2024
Control: tags -1 fixed-upstream
Control: reassign -1 libgpg-error0
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=commitdiff;h=2dc93cfecc7a7b22fd08365a789b8c6c4b8cc36c;hp=92f874e7d1150c44d8c5d4d5e2c2ddf5299e1064
Fixed upstream.
/Sune
On Sunday, April 7, 2024 7:48:07 PM CEST Valentin Hilbig wrote:
> Package: gpg
> Version: 2.4.5-1
> Severity: important
> X-Debbugs-Cc: debian-bug-reply at 03.softkill.org
>
> Dear Maintainer,
>
> following creates an endless loop:
>
> sudo apt install gpg
> sudo mkdir -p /etc/gnupg/gpg.conf
> gpg --version
>
> Afterwards gpg becomes unusable system wide.
> To create the directory you usually need privileges, however my expectation
> is, that some empty directory like shown above should never do this type of
> harm!
>
> I mark this important, as this loop affects all gpg processes system wide
> and hence might be used to create a DoS if somebody somehow manages
> to create this file as a directory instead.
>
> Also the path /etc/gnupg/gpg.conf is not documented in man gpg.
> Undocumented paths should not be exploitable to create harm.
> Hence my expectation is that
>
> - this file should be documented
> - there should be a way to ignore this file such that gpg does not access
> this file - gpg should ignore errors this file if it is unreadable (like
> being a directory)
>
> I do not have any expectation about what happens when this is a file which
> includes errors. This should be part of the documentation.
>
> I tried to report this upstream, but failed, as I was unable to register.
>
> The bug affects stable, unstable and experimental and was tested on a VM.
>
>
> -- System Information:
> Debian Release: 12.5
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64
> (x86_64)
>
> Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
> LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to
> /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages gpg depends on:
> ii gpgconf 2.4.5-1
> ii libassuan0 2.5.5-5
> ii libbz2-1.0 1.0.8-5+b1
> ii libc6 2.36-9+deb12u4
> ii libgcrypt20 1.10.3-2
> ii libgpg-error0 1.46-1
> ii libnpth0t64 1.6-3.1
> ii libreadline8t64 8.2-4
> ii libsqlite3-0 3.40.1-2
> ii zlib1g 1:1.2.13.dfsg-1
>
> Versions of packages gpg recommends:
> ii gnupg 2.4.5-1
>
> gpg suggests no packages.
>
> -- no debconf information
>
> _______________________________________________
> pkg-gnupg-maint mailing list
> pkg-gnupg-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnupg-maint
--
I didn’t stop pretending when I became an adult, it’s just that when I was a
kid I was pretending that I fit into the rules and structures of this world.
And now that I’m an adult, I pretend that those rules and structures exist.
- zefrank
More information about the pkg-gnupg-maint
mailing list