aboutsummaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorMarcin Serwin <marcin@serwin.dev>2024-10-26 09:17:03 +0200
committerRobin Jarry <robin@jarry.cc>2024-10-27 10:15:08 +0100
commit5ccd2d0d518c8de8c2ca921bcd0101e0d0c69a58 (patch)
tree0c7452878706c81feff5494ae64229b6a556ba8c /contrib
parente319d3291fb8be957f84cffc6d1f29e8c78a2d5b (diff)
downloadaerc-5ccd2d0d518c8de8c2ca921bcd0101e0d0c69a58.tar.gz
gpg: redirect status-fd from stdout to stderr
By preparing a maliciously crafted message an attacker could send an encrypted message without signature that would appear as signed within the aerc client. It is caused by the fact that the gpg status messages, which are used for determining the validity signature, are interspered with message contents. An example of such malicious message was added to the `reader_test.go`. This change redirects the satus-fd to stderr, while the usual stderr logs are discarded to /dev/null. In addition to fixing the vulnerability described above, this has the added benefit of stdout containing only useful output which does not need to be filtered. This simplifies the logic and avoids needless copies. Previous stderr parsing logic which detected when no valid OpenPGP data was present is replaced with detecting `NODATA 1` in status-fd messages. The stderr logs are different depending on user locale, thus, they should not be parsed. On the other hand, the status-fd are relatively stable. The previous method of detecting invalid OpenPGP data would fail on systems with non-English locale. Signed-off-by: Marcin Serwin <marcin@serwin.dev> Acked-by: Robin Jarry <robin@jarry.cc>
Diffstat (limited to 'contrib')
0 files changed, 0 insertions, 0 deletions