Page MenuHome GnuPG
Create Task
Maniphest T7908

GnuPG Accepts Path Separators and Path Traversals in Literal Data "Filename" Field
Testing, LowPublic
Actions

Description

In GnuPG, the embedded filename (in Literal Data) handling is considered dangerous. It is used without enough sanitation or validation.

Related Objects
Search...

StatusAssignedTask
Unknown Object (Maniphest Task)
 TestingNoneT7908 GnuPG Accepts Path Separators and Path Traversals in Literal Data "Filename" Field

Event Timeline

gniibe created this task.Tue, Nov 4, 7:07 AM
gniibe created this object in space Restricted Space.
gniibe created this object with visibility "g10code (Project)".
gniibe created this object with edit policy "g10code (Project)".

Added a compatibility flag in: rGad0c6c33c3d6: gpg: Do not use a default when asking for another output filename.

gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Nov 10, 2:51 AM
werner added a subscriber: werner.Wed, Nov 19, 4:08 PM

The problem is that a user may unintentionally use the suggested filename without checking that it does not harm to write to this file. It is better not to present a default name at all.

werner mentioned this in T7940: Release GnuPG 2.5.15.Wed, Nov 19, 5:37 PM
werner mentioned this in T7869: Release GnuPG 2.5.14.Wed, Nov 19, 5:40 PM
werner changed the task status from Open to Testing.Wed, Nov 19, 5:43 PM
werner triaged this task as Low priority.
werner shifted this object from the Restricted Space space to the S1 Public space.
werner changed the visibility from "g10code (Project)" to "Public (No Login Required)".
werner changed the edit policy from "g10code (Project)" to "Contributor (Project)".
werner removed a project: g10code.