clone 492282 -1 severity -1 normal tag -1 - security retitle -1 gpgme leaves unused open file descriptors reassign -1 libgpgme11 tag 492282 + pending thanks
Le jeudi 24 juillet 2008 à 22:56 +0200, Stefan Fritsch a écrit : > Seahorse leaks file descriptors to processes started with "seahorse-agent > --execute", including the gpg agent listening socket. For the default setup, > this means that all processes started from the desktop inherit those FDs and > can > possibly use them. This can be a security issue because the FDs are also > inherited to processes started with su as a different user which normally > would > not have access to gpg key and gpg agent socket. > > Seahorse should use fcntl to set FD_CLOEXEC on its FDs. I’ve patched seahorse in our svn to set FD_CLOEXEC on the agent socket. Other open fds seem to be pipes opened by gpgme to talk to gpg that are not closed after use. AIUI this is not a security issue. Cheers, -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `- our own. Resistance is futile.
signature.asc
Description: Ceci est une partie de message numériquement signée
