Source: gnupg2 Severity: important Tags: patch upstream X-Debbugs-Cc: [email protected]
Dear maintainer,
The check for escaping characters in `write_status_text_and_buffer` is
written in `g10/cpr.c` as:
```c
333 if (*s == '%' || *(const byte*)s <= lower_limit
334 || *(const byte*)s == 127 )
```
Except `byte` is defined as an unsigned char, with non-printable values
exceeding 127.
Therefor the check should be `>= 127` and not `== 127`.
Practically, this means that some non-printable character are currently
not correctly escaped in a status output.
The following commands illustrate the bug:
```
mkdir -p /tmp/gpg
chmod 700 /tmp/gpg
echo test > /tmp/test.txt
cat << EOF > /tmp/key.txt
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Test key
Name-Comment: comment
Name-Email: [email protected]
Expire-Date: 0
Passphrase: abc
%commit
%echo done
EOF
GNUPGHOME=/tmp/gpg gpg --batch --generate-key /tmp/key.txt
GNUPGHOME=/tmp/gpg gpg --set-notation \
"[email protected]=This is a non-printable char [$(printf "\x8c")]" \
--clearsign /tmp/test.txt
GNUPGHOME=/tmp/gpg gpg --status-fd 1 --with-colons \
--verify /tmp/test.txt.asc | cat -A
```
This outputs:
```
[GNUPG:] NOTATION_DATA This%20is%20a%20non-printable%20char%20[M-^L]$
```
While with the proposed patch, it encodes correctly to:
```
[GNUPG:] NOTATION_DATA This%20is%20a%20non-printable%20char%20[%8C]$
```
Best,
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.8.11-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to C.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
-- no debconf information
--
Baptiste Beauplat
diff -Nru gnupg2-2.2.43/debian/patches/Escape-char-127-in-write_status_text_and_buffer.patch gnupg2-2.2.43/debian/patches/Escape-char-127-in-write_status_text_and_buffer.patch --- gnupg2-2.2.43/debian/patches/Escape-char-127-in-write_status_text_and_buffer.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnupg2-2.2.43/debian/patches/Escape-char-127-in-write_status_text_and_buffer.patch 2024-06-23 14:16:58.000000000 +0200 @@ -0,0 +1,21 @@ +From: Baptiste Beauplat <[email protected]> +Date: Sun, 23 Jun 2024 14:16:44 +0200 +Subject: Escape char >= 127 in write_status_text_and_buffer + +--- + g10/cpr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g10/cpr.c b/g10/cpr.c +index bc4b715..cd4301d 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -331,7 +331,7 @@ write_status_text_and_buffer (int no, const char *string, + for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit +- || *(const byte*)s == 127 ) ++ || *(const byte*)s >= 127 ) + esc = 1; + if (wrap && ++count > wrap) + dowrap=1; diff -Nru gnupg2-2.2.43/debian/patches/series gnupg2-2.2.43/debian/patches/series --- gnupg2-2.2.43/debian/patches/series 2024-06-01 01:22:29.000000000 +0200 +++ gnupg2-2.2.43/debian/patches/series 2024-06-23 14:16:58.000000000 +0200 @@ -28,3 +28,4 @@ restore-nl.po.patch from-upstream/scd-openpgp-Fix-PIN-pin2hash_if_kdf.patch from-master/gpg-Report-BEGIN_-status-before-examining-the-input.patch +Escape-char-127-in-write_status_text_and_buffer.patch
signature.asc
Description: This is a digitally signed message part
