Bug#1099112: libmail-gnupg-perl: Mail::GnuPG test suite fails when GnuPG is patched against a signature verification DoS

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 28 00:13:01 GMT 2025 

Package: libmail-gnupg-perl
Version: 0.23-4
Severity: normal
Tags: patch
Control: affects -1 src:gnupg2

The test suite for Mail::GnuPG breaks with the new version of gnupg2
that is patched against a signature verification denial of service. It
breaks because the test suite depends on verifying signatures made from
expired OpenPGP certfiicates.

The attached patch adjusts the test suite to consider only non-expired
certificates.

I suspect there might be more work to be done to fix Mail::GnuPG, since
it apparently made it easy to accept signatures from expired
certificates, which might not be what the user actually expects.  But
for the moment, it would be good to get the test suite to pass.

If you'd like me to NMU this, please let me know.

Thanks for maintaining Mail::GnuPG in debian!

    --dkg


-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libmail-gnupg-perl depends on:
ii  gnupg                    2.4.7-4
ii  libgnupg-interface-perl  1.04-4
ii  libmailtools-perl        2.22-1
ii  libmime-tools-perl       5.515-1
ii  perl                     5.40.1-2

libmail-gnupg-perl recommends no packages.

Versions of packages libmail-gnupg-perl suggests:
ii  gpg-agent  2.4.7-4

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Replace-expired-OpenPGP-certficates.patch
Type: text/x-diff
Size: 102063 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250227/f30d854a/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250227/f30d854a/attachment-0001.sig>

More information about the pkg-perl-maintainers mailing list