[pkg-gnupg-maint] Bug#1080430: libgpgme11t64: verification with gpg expects gpg to guess the command
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 3 23:15:31 BST 2024
Control: affects 1080430 + gpg-from-sq
On Tue 2024-09-03 16:22:14 -0400, Daniel Kahn Gillmor wrote:
> https://dev.gnupg.org/T6907
>
> gpg is supposed to take a command argument to indicate what operation is
> being done. if the argument list does not contain a command, it tries to
> guess what to do based on the contents of the input, which can be
> potentially dangerous, depending on who controls the input.
>
> gpgme is supposed to operate gpg in the safest, most standard way, but
> it fails to supply a command when verifying.
This is also relevant for Sequoia's "chameleon" project, see also
https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/94
--dlg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240903/b937f6d2/attachment-0001.sig>
More information about the pkg-gnupg-maint
mailing list