[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993441: marked as done (kleopatra: Creates unsafe ~/.gnupg when not already present)

Your message dated Mon, 27 Sep 2021 07:03:31 +0000
with message-id <E1mUkfj-0000um-Bk@fasolo.debian.org>
and subject line Bug#993441: fixed in kleopatra 4:21.08.1-2
has caused the Debian Bug report #993441,
regarding kleopatra: Creates unsafe ~/.gnupg when not already present
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993441
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: kleopatra
Version: 4:21.08.0-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

I had previously 'improved' my gnupg configuration, but that is (now)
deprecated.
So I moved my ~/.gnupg directory to a backup location to start anew.

If I then start Kleopatra, but don't do anything with it, that directory
gets created, but with the wrong permissions:
diederik@bagend:~$ stat .gnupg/
  File: .gnupg/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10304h/66308d   Inode: 12845182    Links: 3
Access: (0755/drwxr-xr-x)  Uid: ( 1000/diederik)   Gid: ( 1000/diederik)

Running a gpg command from a Konsole window reports the issue:
diederik@bagend:~$ gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/diederik/.gnupg'


If I uninstall Kleopatra and remove the ~/.gnupg directory (again) and
then do 'gpg --list-keys', I get:
diederik@bagend:~$ gpg --list-keys
gpg: directory '/home/diederik/.gnupg' created
gpg: keybox '/home/diederik/.gnupg/pubring.kbx' created
gpg: /home/diederik/.gnupg/trustdb.gpg: trustdb created
diederik@bagend:~$ stat .gnupg/
  File: .gnupg/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10304h/66308d   Inode: 12845180    Links: 2
Access: (0700/drwx------)  Uid: ( 1000/diederik)   Gid: ( 1000/diederik)

So Kleopatra creates ~/.gnupg with incorrect permissions when the
directory doesn't exist.

Cheers,
  Diederik

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kleopatra depends on:
ii  dirmngr                                2.2.27-2
ii  gnupg                                  2.2.27-2
ii  gpgsm                                  2.2.27-2
ii  libassuan0                             2.5.5-1
ii  libc6                                  2.31-17
ii  libgcc-s1                              11.2.0-3
ii  libgpg-error0                          1.42-3
ii  libgpgme11                             1.16.0-1
ii  libgpgmepp6                            1.16.0-1
ii  libkf5codecs5                          5.85.0-2
ii  libkf5configcore5                      5.85.0-2
ii  libkf5configgui5                       5.85.0-2
ii  libkf5configwidgets5                   5.85.0-2
ii  libkf5coreaddons5                      5.85.0-2
ii  libkf5crash5                           5.85.0-2
ii  libkf5dbusaddons5                      5.85.0-2
ii  libkf5i18n5                            5.85.0-2
ii  libkf5iconthemes5                      5.85.0-2
ii  libkf5itemmodels5                      5.85.0-2
ii  libkf5libkleo5 [libkf5libkleo5-21.08]  4:21.08.0-1
ii  libkf5mime5abi1 [libkf5mime5-21.08]    21.08.0-1
ii  libkf5notifications5                   5.85.0-3
ii  libkf5textwidgets5                     5.85.0-2
ii  libkf5widgetsaddons5                   5.85.0-2
ii  libkf5windowsystem5                    5.85.0-2
ii  libkf5xmlgui5                          5.85.0-3
ii  libqgpgme7                             1.16.0-1
ii  libqt5core5a                           5.15.2+dfsg-10
ii  libqt5dbus5                            5.15.2+dfsg-10
ii  libqt5gui5                             5.15.2+dfsg-10
ii  libqt5network5                         5.15.2+dfsg-10
ii  libqt5printsupport5                    5.15.2+dfsg-10
ii  libqt5widgets5                         5.15.2+dfsg-10
ii  libstdc++6                             11.2.0-3
ii  paperkey                               1.6-1
ii  pinentry-qt                            1.1.1-1

kleopatra recommends no packages.

kleopatra suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: kleopatra
Source-Version: 4:21.08.1-2
Done: Norbert Preining <norbert@preining.info>

We believe that the bug you reported is fixed in the latest version of
kleopatra, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 993441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <norbert@preining.info> (supplier of updated kleopatra package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 27 Sep 2021 15:36:53 +0900
Source: kleopatra
Architecture: source
Version: 4:21.08.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Norbert Preining <norbert@preining.info>
Closes: 993441
Changes:
 kleopatra (4:21.08.1-2) unstable; urgency=medium
 .
   [ Norbert Preining ]
   * Fix unsafe creation of GPGHOME directory (Closes: #993441).
Checksums-Sha1:
 fafd402605419a02004bed99b34a817214430e2a 2739 kleopatra_21.08.1-2.dsc
 255c934daac08c47f0f049d18b3fe690390c1d71 14636 kleopatra_21.08.1-2.debian.tar.xz
 6c2348379ef01d9cbf34f36a9fa22f29dd7e7102 24006 kleopatra_21.08.1-2_source.buildinfo
Checksums-Sha256:
 b61261265fc5411449a5e6a0d651dc3b5bd2df00123b7b2460fd30a0a8f134fa 2739 kleopatra_21.08.1-2.dsc
 9087150f8bd4b117da3f2023da10c762a7b56c0fcfcc3cb9c73f743bd4b5a93f 14636 kleopatra_21.08.1-2.debian.tar.xz
 7f60d08f34885111aec6799c420dc008a416abaa8595e474eb964488e77631b7 24006 kleopatra_21.08.1-2_source.buildinfo
Files:
 e7558202fb5a70dc19fccf05d127b18b 2739 kde optional kleopatra_21.08.1-2.dsc
 93158c8ad5908d0eb3eb4bc2cfa64004 14636 kde optional kleopatra_21.08.1-2.debian.tar.xz
 1b604359942a4259efb59b257db7ddd7 24006 kde optional kleopatra_21.08.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAmFRZrwACgkQ2A4JsIcU
AGY7RQf/SBWb82nvijMrhfmZn+yfIXHM5mkFVuomRHy0QxVZRN86w4tn0aF3J1KR
DfDxOhR51aNC0np0/aSTlBd0XuoSlyRQZHy2hfTcjqZF/W1LUupYieNgWnnuCmPS
C31spveOOgOEVGgzIkZWh1RsxZf7EQTeqgISaewkgT15cjhc+BPsiopFZEX27jIm
C4+m9vrYQd7vT5Dc4DgDZwakh4Udm4DMJwlH/GS1ZSBxa1oBtCEktAsNnQ6S8IpO
+8xrlag8UwB34TlnB/TSxFnfECXXxuila2Othhh8cOq5ccgtvCwIMypmX+XwqSwi
jqwOtgcrMmMReR1up2RRWeM9cJcV3w==
=xmiW
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: