Control: retitle 630086 reportbug does not sign attachments, headers, or pseudoheaders Control: found 630086 11.5.1
On Fri 2011-06-10 10:16:12 -0700, Jameson Graef Rollins wrote: > Package: reportbug > Version: 5.1.1 > Severity: normal > > When using --gpg (or the "sign" config variable) reportbug is not > signing attachments to the bug report. In addition to this, the pseudoheaders and the message headers are also not properly signed, which means that the signed message section itself could be replayed against different packages, versions, or with a different subject. pseudoheaders and message headers are a critical part of the message context. For other problems with inline PGP signatures, see: https://dkg.fifthhorseman.net/blog/inline-pgp-considered-harmful.html https://www.ietf.org/archive/id/draft-ietf-lamps-e2e-mail-guidance-03.html#name-avoiding-non-mime-cryptogra Reportbug should use a PGP/MIME signature that covers all the essential data of the message, rather than an inline signature. Making matters worse, the signing code appears to pass an interpolated string to os.system, which contains arbitrary text from the --keyid option, which means shell metacharacters in --keyid will result in arbitrary code execution. Finally, rather than relying on /usr/bin/gpg or /usr/bin/pgp, reportbug should be able to sign with any Stateless OpenPGP ("sop") implementation (e.g. sqop, pgpainless-cli, gosop, or any other sop implementation that we can land in debian) by indicating a path to the signing secret key instead of a key ID. --dkg
signature.asc
Description: PGP signature