This has CVE-2020-25125
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Sep 3 2020
2.2.23 has been released and announced.
The fix will be in the 2.2.23 release (T5045).
To implement this it would be best to have an gpg_strerror variant which does not call dgettext.
re 1: Correct utf-8 truncation would be quite some work. In this case the message is in the Assuan interface is a debugging aid. Translation is not necessary so we can try to disable it.
You need to get you toolchain correctly installed.
Sep 2 2020
A bug was reported against this version which could happen also to older versions of GnuPG 2.2. In case of a crash please apply the patch over at rG8ec9573e57866dda5efb4677d4454161517484bc or wait for 2.2.23
See https://bugzilla.opensuse.org/show_bug.cgi?id=1176034 for the original bug report. I was not able to replicate the crash but the bad reads. The error is pretty obvious: The code expects that all fields are zeroed out.
Sep 1 2020
gpg-agent has only very limited support for ssh certificates which is the reason that your command fails.
I should add a test with Gnuk to my Windows quick test after a release.
Aug 31 2020
There is not a lot of demand for this, thus we have not continued to think about it.
As a workaround please run
Let's continue discussion at T5040
There seems to be a problem with Gnuk and thus Nitrokey tokens with 2.2.22. We are investigating this. See T5039.
Aug 30 2020
If we can use the code please first commit the original code to the repo and only then apply code style fixes.
We need to clarify two things:
Aug 29 2020
FWIW, here an example of warnings we use. Yes it starts with -Wall but there are a couple of more specific warnings and at a few places we even use pragmas to disable warnings. And it depends on the compiler version used.
Aug 28 2020
-Wall is not a good idea in general because it is too unspecific. This is why we have a list of useful warning and warnings we ignore with gcc.
Fixed in gnupg and gpgme. it is not serious because that is just a failsafe check; libksba creates these strings and it does it correctly.
We have the same flaw in gnupg.
I think we should make zlib a mandatory dependency.
Aug 27 2020
Thanks. Applied to 2.2 and master.
I still don't think that it is correct. We would also need to turn fd from an int to a gnupg_fd_t (ie. a HANDLE under Windows) which requires other changes and should be done in the other parts of the code as well. assuan_sock_close also delegates to the system specific function and on Windows removes the fd also from the cygwin table. This may trigger other bugs so I'd like to keep it as it is to go with the code which has been in active use for a long time - at least for 2.2
0.2.0 was just released with support for GCM. Tested against openpgpkeys.pm.me
Aug 26 2020
I am always glad to fix such bugs before a release (I am about to prepare 2.2.22).
rG4c8d5eb0bdd3: agent: Allow TERM="".
Mails crossed ;-)
Ah wait. This has been fixed in master a year ago but was not backported to 2.2; see T4137. I'll add it to the forthcoming 2.2.22. Thanks for the report.
The warning above is harmless. Both strings are actually the same but stem from different versions of the autotools helper scripts