Page MenuHome GnuPG
Create Task
Maniphest T6098

Path traversal bug in gpg-wks-server
Closed, ResolvedPublic
Actions

Description

Philipp Breuch reported problems with the gpg-wks-server. In particular a directory path traversal bug could be used to publish a key for a different address.

Revisions and Commits

rG GnuPG
rG73a98c139691 wkd: Bind the address to the nonce.
rG4c8792fa10b6 wkd: Bind the address to the nonce.

Related Objects

Event Timeline

werner triaged this task as High priority.Jul 26 2022, 12:36 PM
werner created this task.
werner created this object in space Restricted Space.
werner created this object with edit policy "Contributor (Project)".
werner renamed this task from Pass traversal bug in gpg-wks-server to Path traversal bug in gpg-wks-server.Jul 27 2022, 8:20 AM
werner updated the task description. (Show Details)Jul 27 2022, 8:26 AM
werner added a commit: rG4c8792fa10b6: wkd: Bind the address to the nonce..Jul 27 2022, 11:43 AM
werner shifted this object from the Restricted Space space to the S1 Public space.Jul 27 2022, 11:43 AM
werner added a commit: rG73a98c139691: wkd: Bind the address to the nonce..Jul 27 2022, 12:31 PM
werner changed the task status from Open to Testing.Jul 27 2022, 12:33 PM

Fix will go into 2.2.37 and 2.3.8.

Note that migration to the new version will invalidate pending requests.

werner closed this task as Resolved.Aug 1 2022, 11:19 AM
werner claimed this task.
werner mentioned this in T6105: Release GnuPG 2.2.37.Aug 24 2022, 5:22 PM
werner mentioned this in T6106: Release GnuPG 2.3.8.Oct 14 2022, 6:02 PM