Page MenuHome GnuPG

Explicitly deprecate --use-embedded-filename -- it is hazardous
Closed, ResolvedPublic

Description

I'm opening this report because i found a (currently embargoed) security vulnerability in a tool that uses GnuPG due to this option. If GnuPG had reported a deprecation warning years ago, or if GnuPG didn't support this option at all, the users of that tool might be safer today. In the long run, using --use-embedded-filename should probably cause an explicit failure with, for example "no such option" or "attempt to use deprecated, dangerous option".


The --use-embedded-filename option will cause GnuPG to create a file with whatever name is embedded in the OpenPGP stream.

For all existing OpenPGP data (whether encrypted or not), that filename has no cryptographic verification. For LibrePGP data, where it is possible for a v5 signature or a v4 signature with the "Literal Data Meta Hash" subpacket to cover this data, GnuPG offers no controls that a user can use to require that the data is signed at all, let alone that it is signed by someone from any particular subset of potential signers.

For example, if literal-data-packet.pgp contains a raw literal data packet (no encryption, no signatures), the following command will cause gpg to write the contents of the packet to an arbitrary file:

gpg --decrypt --use-embedded-filename < literal-data-packet.pgp

Thus, the option is unsafe to use in any circumstance beyond that where the user can somehow control whether the file has been modified in transit at all. In that case, there are several better ways for any user to transmit a desired filename, such as by transfering a script that describes the desired filename alongside the OpenPGP material, or by using OpenPGP to wrap a tarball, which can contain metadata or instructions far more sophisticated and flexible than a single string limited to 255 octets.

In T4500, @werner explicitly notes:

In any case I suggest not to use this option and instead decrypt to a temporay file and then rename it to the embeded file name after checking that this file name is harmless. When using the --status-fd option gpg tells the filename as part of the PLAINTEXT status message.

So this change embeds that recommendation directly in the manual.

By marking this dangerous option as deprecated, GnuPG effectively gives any users with it embedded in scripts notice it will be removed in a future version.

Details

Version
2.4.4

Event Timeline

The patch supplied here should apply to STABLE-BRANCH-2-4, but it should also be easy enough to backport to STABLE-BRANCH-2-2 and STABLE-BRANCH-1-4. For GnuPG master, i recommend actually removing the option.

I agree. Any automatic use of the embedded filename will be potentially problematic security-wise. The only safe use is probably as a value in an interactive dialog, and even then, only if the user doesn't accept a dangerous value.

werner claimed this task.

Unfortunately there are real world applications which make use of this option in special environments. Thus we can't remove it. I improved the warning in the man page.