diff options
| author | Marcin Serwin <marcin@serwin.dev> | 2024-10-26 09:17:03 +0200 |
|---|---|---|
| committer | Robin Jarry <robin@jarry.cc> | 2024-10-27 10:15:08 +0100 |
| commit | 5ccd2d0d518c8de8c2ca921bcd0101e0d0c69a58 (patch) | |
| tree | 0c7452878706c81feff5494ae64229b6a556ba8c /lib/dirstore.go | |
| parent | e319d3291fb8be957f84cffc6d1f29e8c78a2d5b (diff) | |
| download | aerc-5ccd2d0d518c8de8c2ca921bcd0101e0d0c69a58.tar.gz | |
gpg: redirect status-fd from stdout to stderr
By preparing a maliciously crafted message an attacker could send an
encrypted message without signature that would appear as signed within
the aerc client. It is caused by the fact that the gpg status messages,
which are used for determining the validity signature, are interspered
with message contents. An example of such malicious message was added to
the `reader_test.go`.
This change redirects the satus-fd to stderr, while the usual stderr
logs are discarded to /dev/null. In addition to fixing the vulnerability
described above, this has the added benefit of stdout containing only
useful output which does not need to be filtered. This simplifies the
logic and avoids needless copies.
Previous stderr parsing logic which detected when no valid OpenPGP data
was present is replaced with detecting `NODATA 1` in status-fd messages.
The stderr logs are different depending on user locale, thus, they
should not be parsed. On the other hand, the status-fd are relatively
stable. The previous method of detecting invalid OpenPGP data would fail
on systems with non-English locale.
Signed-off-by: Marcin Serwin <marcin@serwin.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
Diffstat (limited to 'lib/dirstore.go')
0 files changed, 0 insertions, 0 deletions