On Fri, 2005-08-12 at 10:51 -0700, [EMAIL PROTECTED] wrote: > David Srbecky dsrbecky at gmail.com > Thu Aug 11 18:19:54 CEST 2005 wrote: > > ] I have payed with the idea of using experimental subpackets > ] of 'User Attribute Packet' and here is what I came up with:
> doesn't this pose some risk of exploit ? > > suppose someone wants to put a malicious executable > as part of the packet, > and gives it some interesting name, > is there anything in gnupg that would prevent the running of the > executable? > (i.e. is the key just 'ignored' or 'refused' > as 'key with unsupported packet type' ? > > and can this protect against some type of malware corrupting the > system, > just by getting gnupg to 'check' the packet ?) 1. GPG doesn't have any reason to be more vulnerable to this type of "attack" than any other piece ef software. It doesn't matter what you put in a supposed pgp public key block and send to gpg -- gpg should not execute anything inside of it. If gpg does execute machine code that's been passed to it in a file, it's a bug in gpg. There may or may not be an undiscovered bug of this type in the subpacket processing code in gpg. Perhaps the reason you are concerned about this type of problem is that you are used to hearing about "code that executes when you view a malicious Word document" or "a worm that takes over your computer when you view a specially crafted email using Outlook". Issues like those are the result of poor application design. In other words, there is nothing inherent about computers or computer programs that creates an unavoidable progression from viewing or malipulating something to executing it. Eric _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
