Control: retitle 630086 reportbug does not sign attachments, headers, or pseudoheaders
Control: found 630086 11.5.1
On Fri 2011-06-10 10:16:12 -0700, Jameson Graef Rollins wrote:
> Package: reportbug
> Version: 5.1.1
> Severity: normal
>
> When using --gpg (or the "sign" config variable) reportbug is not
> signing attachments to the bug report.
In addition to this, the pseudoheaders and the message headers are also
not properly signed, which means that the signed message section itself
could be replayed against different packages, versions, or with a
different subject. pseudoheaders and message headers are a critical
part of the message context.
For other problems with inline PGP signatures, see:
https://dkg.fifthhorseman.net/blog/inline-pgp-considered-harmful.html
https://www.ietf.org/archive/id/draft-ietf-lamps-e2e-mail-guidance-03.html#name-avoiding-non-mime-cryptogra
Reportbug should use a PGP/MIME signature that covers all the essential
data of the message, rather than an inline signature.
Making matters worse, the signing code appears to pass an interpolated
string to os.system, which contains arbitrary text from the --keyid
option, which means shell metacharacters in --keyid will result in
arbitrary code execution.
Finally, rather than relying on /usr/bin/gpg or /usr/bin/pgp, reportbug
should be able to sign with any Stateless OpenPGP ("sop") implementation
(e.g. sqop, pgpainless-cli, gosop, or any other sop implementation that
we can land in debian) by indicating a path to the signing secret key
instead of a key ID.
--dkg
Attachment:
signature.asc
Description: PGP signature