Bug#575084: marked as done ([gnupg/1206] gpg ignores junk in -u parameter)

Sat, 12 Apr 2025 07:42:15 -0700 

Your message dated Sat, 12 Apr 2025 16:39:25 +0200
with message-id <[email protected]>
and subject line Re: Bug#575084: gpg ignores junk in -u parameter
has caused the Debian Bug report #575084,
regarding [gnupg/1206] gpg ignores junk in -u parameter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
575084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: gnupg
Version: 1.4.10-2
Severity: minor
File: /usr/bin/gpg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this is probably relatively minor, but given the security importanac of
gpg, I think it would not hurt if gpg would be more picky with regard to
its input:

It seems that
$ gpg --sign --armour -u "4743206C
has the same effect as
$ gpg --sign --armour -u "4743206C junk"
while
$ gpg --sign --armour -u "4743206Cjunk"
is rejected.

I’d expect gpg to complain with the second invocation as well, just to
be on the safe side.

Greetings,
Joachim

- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg                    1.15.5.6         Debian package management system
ii  gpgv                    1.4.10-2         GNU privacy guard - signature veri
ii  install-info            4.13a.dfsg.1-5   Manage installed documentation in 
ii  libbz2-1.0              1.0.5-4          high-quality block-sorting file co
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libreadline6            6.1-1            GNU readline and history libraries
ii  libusb-0.1-4            2:0.1.12-14      userspace USB programming library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages gnupg recommends:
pn  gnupg-curl                    <none>     (no description available)
ii  libldap-2.4-2                 2.4.17-2.1 OpenLDAP libraries

Versions of packages gnupg suggests:
ii  eog                          2.28.2-1    Eye of GNOME graphics viewer progr
pn  gnupg-doc                    <none>      (no description available)
ii  imagemagick                  7:6.6.0.4-1 image manipulation programs
ii  libpcsclite1                 1.5.5-3     Middleware to access a smart card 

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuoooYACgkQ9ijrk0dDIGy6DwCglZMpr94hrBj6JcFP+eIy/vib
ZNUAoJkNWjc7Xl/7reAhfTRwRLz7QctZ
=0bUa
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Version: 2.1.10-1

On 2010-03-23 Joachim Breitner <[email protected]> wrote:
> Package: gnupg
> Version: 1.4.10-2
> Severity: minor
> File: /usr/bin/gpg

> Hi,

> this is probably relatively minor, but given the security importanac of
> gpg, I think it would not hurt if gpg would be more picky with regard to
> its input:

> It seems that
> $ gpg --sign --armour -u "4743206C
> has the same effect as
> $ gpg --sign --armour -u "4743206C junk"
> while
> $ gpg --sign --armour -u "4743206Cjunk"
> is rejected.

> I’d expect gpg to complain with the second invocation as well, just to
> be on the safe side.

Fixed in 2.1.10

f99830b72812395da5451152bdd2f2d90a7cb7fb
Author: Neal H. Walfield <[email protected]>  2015-11-06 12:31:16
Committer: Neal H. Walfield <[email protected]>  2015-11-06 12:31:16
Parent: e8c53fca954d33366e3494a6d4eecc3868282bcc (gpg: Check for ambiguous or 
non-matching key specs.)
Child:  a74aeb5dae1f673fcd98b39a6a0496f3c622709a (gpg: Add new option 
--only-sign-text-ids.)
Branches: STABLE-BRANCH-2-2, master, remotes/origin/STABLE-BRANCH-2-2 and many 
more (85)
Follows: gnupg-2.1.9
Precedes: gnupg-2.1.10

    common: When classifying keyids and fingerprints, reject trailing junk.

    * common/userids.c (classify_user_id): Trim any trailing whitespace.
    Before assuming that a hexstring corresponds to a key id or
    fingerprint, make sure that it is NUL terminated.

    --
    Signed-off-by: Neal H. Walfield <[email protected]>
    GnuPG-bug-id: 1206
    Debian-bug-id: 575084

--- End Message ---

Reply via email to