[pkg-gnupg-maint] Bug#1080430: libgpgme11t64: verification with gpg expects gpg to guess the command
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 3 21:22:14 BST 2024
Package: libgpgme11t64
Version: 1.23.2-1
Severity: normal
Control: forwarded -1 https://dev.gnupg.org/T6907
gpg is supposed to take a command argument to indicate what operation is
being done. if the argument list does not contain a command, it tries to
guess what to do based on the contents of the input, which can be
potentially dangerous, depending on who controls the input.
gpgme is supposed to operate gpg in the safest, most standard way, but
it fails to supply a command when verifying. This is fixed upstream,
but is not yet in any released version.
We should import the narrowly targeted fix into debian.
--dkg
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.10.6-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgpgme11t64 depends on:
ii gnupg 2.2.43-8
ii gpg 2.2.43-8
ii libassuan0 2.5.6-1+b1
ii libc6 2.40-2
ii libgpg-error0 1.50-3
Versions of packages libgpgme11t64 recommends:
ii dirmngr 2.2.43-8
ii gpg-agent 2.2.43-8
pn gpg-wks-client <none>
ii gpgsm 2.2.43-8
libgpgme11t64 suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240903/3d9c10c7/attachment-0001.sig>
More information about the pkg-gnupg-maint
mailing list