Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
Package: kleopatra Version: 4:21.08.0-1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team I had previously 'improved' my gnupg configuration, but that is (now) deprecated. So I moved my ~/.gnupg directory to a backup location to start anew. If I then start Kleopatra, but don't do anything with it, that directory gets created, but with the wrong permissions: diederik@bagend:~$ stat .gnupg/ File: .gnupg/ Size: 4096Blocks: 8 IO Block: 4096 directory Device: 10304h/66308d Inode: 12845182Links: 3 Access: (0755/drwxr-xr-x) Uid: ( 1000/diederik) Gid: ( 1000/diederik) Running a gpg command from a Konsole window reports the issue: diederik@bagend:~$ gpg --list-keys gpg: WARNING: unsafe permissions on homedir '/home/diederik/.gnupg' If I uninstall Kleopatra and remove the ~/.gnupg directory (again) and then do 'gpg --list-keys', I get: diederik@bagend:~$ gpg --list-keys gpg: directory '/home/diederik/.gnupg' created gpg: keybox '/home/diederik/.gnupg/pubring.kbx' created gpg: /home/diederik/.gnupg/trustdb.gpg: trustdb created diederik@bagend:~$ stat .gnupg/ File: .gnupg/ Size: 4096Blocks: 8 IO Block: 4096 directory Device: 10304h/66308d Inode: 12845180Links: 2 Access: (0700/drwx--) Uid: ( 1000/diederik) Gid: ( 1000/diederik) So Kleopatra creates ~/.gnupg with incorrect permissions when the directory doesn't exist. Cheers, Diederik -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: arm64 Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kleopatra depends on: ii dirmngr2.2.27-2 ii gnupg 2.2.27-2 ii gpgsm 2.2.27-2 ii libassuan0 2.5.5-1 ii libc6 2.31-17 ii libgcc-s1 11.2.0-3 ii libgpg-error0 1.42-3 ii libgpgme11 1.16.0-1 ii libgpgmepp61.16.0-1 ii libkf5codecs5 5.85.0-2 ii libkf5configcore5 5.85.0-2 ii libkf5configgui5 5.85.0-2 ii libkf5configwidgets5 5.85.0-2 ii libkf5coreaddons5 5.85.0-2 ii libkf5crash5 5.85.0-2 ii libkf5dbusaddons5 5.85.0-2 ii libkf5i18n55.85.0-2 ii libkf5iconthemes5 5.85.0-2 ii libkf5itemmodels5 5.85.0-2 ii libkf5libkleo5 [libkf5libkleo5-21.08] 4:21.08.0-1 ii libkf5mime5abi1 [libkf5mime5-21.08]21.08.0-1 ii libkf5notifications5 5.85.0-3 ii libkf5textwidgets5 5.85.0-2 ii libkf5widgetsaddons5 5.85.0-2 ii libkf5windowsystem55.85.0-2 ii libkf5xmlgui5 5.85.0-3 ii libqgpgme7 1.16.0-1 ii libqt5core5a 5.15.2+dfsg-10 ii libqt5dbus55.15.2+dfsg-10 ii libqt5gui5 5.15.2+dfsg-10 ii libqt5network5 5.15.2+dfsg-10 ii libqt5printsupport55.15.2+dfsg-10 ii libqt5widgets5 5.15.2+dfsg-10 ii libstdc++6 11.2.0-3 ii paperkey 1.6-1 ii pinentry-qt1.1.1-1 kleopatra recommends no packages. kleopatra suggests no packages. -- no debconf information
Processing of dolphin_21.08.0-2_source.changes
dolphin_21.08.0-2_source.changes uploaded successfully to localhost along with the files: dolphin_21.08.0-2.dsc dolphin_21.08.0-2.debian.tar.xz dolphin_21.08.0-2_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
dolphin_21.08.0-2_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 Sep 2021 07:30:42 +0900 Source: dolphin Architecture: source Version: 4:21.08.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Norbert Preining Changes: dolphin (4:21.08.0-2) unstable; urgency=medium . [ Norbert Preining ] * Cherry-pick upstream fix for starting a console when kinit is not running. Checksums-Sha1: cf0e39afa41a502418dbf279ce498c0b5862d88d 3059 dolphin_21.08.0-2.dsc f0718af086537413285f75c9953dbcfe16bd2917 73168 dolphin_21.08.0-2.debian.tar.xz 68619894ddf60eed94617d96c6375fda3bcb6839 24629 dolphin_21.08.0-2_source.buildinfo Checksums-Sha256: d99273a87acd94e9de2c70ccca80303ab53daaff35159957debf86f1c9b71352 3059 dolphin_21.08.0-2.dsc 641c7e660e4bb8a0a9ca72b14f1cc651af7be9148e9c46def1a8fcfdd5e25579 73168 dolphin_21.08.0-2.debian.tar.xz c4adc33e17226313627a34f88e899c762a0af28a740f9e9af36990e52abfaf82 24629 dolphin_21.08.0-2_source.buildinfo Files: ba456dcfdb0ef6d982889c8017859a7d 3059 kde optional dolphin_21.08.0-2.dsc 380d656085ba7261f4d02a6a1c94817a 73168 kde optional dolphin_21.08.0-2.debian.tar.xz 2a73aad594ab2b7db1b93c6dc0b83d6e 24629 kde optional dolphin_21.08.0-2_source.buildinfo -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAmEwARoACgkQ2A4JsIcU AGZGVwf/bCYczPYSVaKQ2Ar2XP/BJFWzrkXYfJzUErc6HCpesquw7VakEIkYOT0m 4D0NxdsQlysQcBIrFR4AP+SxZg6rZXuj+pk7UG5Z7eEiQyKsnlMSXEEKognktsa8 Qe66jb+0SuD87hp7vtH7WwCRjSEhV3lWwCLY0GZVS2tUf9npeRb/oVzQheKxdraH h60BK8NYivHxQnIKOyVWc2RaozJgg308aMKHm8BK12pD5vQ1o3V6NhdrW8HyFeFY baEdNjuYKMFbwHI1xFBFmNJzKNbD4r5z9UWTnMJD1LD/ZrFvd+Fx3XjFwGa1/gDt VS4aob4SiO5b1vTIUMeRfUZQUNYMcg== =rsGo -END PGP SIGNATURE- Thank you for your contribution to Debian.
Processing of kmail_21.08.0-2_source.changes
kmail_21.08.0-2_source.changes uploaded successfully to localhost along with the files: kmail_21.08.0-2.dsc kmail_21.08.0-2.debian.tar.xz kmail_21.08.0-2_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
kmail_21.08.0-2_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 Sep 2021 07:35:22 +0900 Source: kmail Architecture: source Version: 4:21.08.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Norbert Preining Changes: kmail (4:21.08.0-2) unstable; urgency=medium . [ Norbert Preining ] * Bump frameworks b-d to 5.85 to fix settings bug. * Bump standards version, no changes necessary. Checksums-Sha1: 96ba4f4f19235fed7702b73e27f13979382dc750 3994 kmail_21.08.0-2.dsc 5079d4941eabec5bc47e794f504a3aafba22be01 16044 kmail_21.08.0-2.debian.tar.xz a8c574ba04f37c7c588226326d9ff7c1a5afd1c5 26703 kmail_21.08.0-2_source.buildinfo Checksums-Sha256: 45f1803acaf1f01e8862dd0261660153c30fea88fad9c83e0f9e0a2b7d6a58d6 3994 kmail_21.08.0-2.dsc 5a781cc9e5b55bf9a6fb81f30ff04d7227ec3b6e17ade7dfce7d62ef8db43279 16044 kmail_21.08.0-2.debian.tar.xz a4bd961405f133c94ecaac7cd4baad6fab0eabdd4939681b622049b653c06cdb 26703 kmail_21.08.0-2_source.buildinfo Files: 266d15658d31d1f0a8e0401aa8c5dfac 3994 kde optional kmail_21.08.0-2.dsc 2b0bd09ec5e2c649ef991f1ee4fa9b42 16044 kde optional kmail_21.08.0-2.debian.tar.xz 04e07059d9e37a0721fe426196c4b935 26703 kde optional kmail_21.08.0-2_source.buildinfo -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAmEwAcQACgkQ2A4JsIcU AGZvhQgAk0YpELaNVKnwaIRowLS0S6U+GviBNNsJDJqtbZknbqkHUiDnnvdE7/7s S6J8A/ByqgdTplnb90610g04Djn7qprbXArRtm7TubZ/RMcyy6ijmbjkwSEc6t5f upXcDdpSAtxJlCoxRbljTZPYAYTiJ0iG9hpCHCMuJ2ixtRs6ZfN6/xu7HJJJ2RxN WKcLh8D+2MlQoHt/sBmTXRe5GV1N9JdQItBTt636JdoE/xCdNlS3csYw/hNkMkTx kWjZcVZ45kuVecFnW7hIRd9hOECIX0StQzV1vtHpCUX8zfSYJ2OC/4QUr8Kew6t1 0Sn6kZrlfc0cedYgD7Hz8gZGEj5ePw== =IjHf -END PGP SIGNATURE- Thank you for your contribution to Debian.
