[Evolution] PGP -> execvp() : Security problems?

From: Anton Aylward <aja si on ca>
To: evolution ximian com
Subject: [Evolution] PGP -> execvp() : Security problems?
Date: 12 Nov 2002 19:08:03 -0500

On Tue, 2002-11-12 at 17:40, Jeffrey Stedfast <fejj ximian com> wrote:

Subject: Re: [Evolution] Evolution-1.2 vs pgp encryption
To: Stacey Roberts <stacey Demon vickiandstacey com>
Cc: evolution ximian com

Evolution no longer supports anything other than gnupg.

Why not? because I rewrote the pgp backend code to be much more robust

[snip]

We now just use execvp() and let
the shell find the pgp binary for us. It makes the UI oh so much simpler
for the average user.


Indeed it does for the class of users who don't know about PGP.  I would
think that anyone who is smart enough to handle gnupgp - set it up,
handle keyrings and so forth - can use "which".  But that's not my
point.

My point is the use of execvp().

Take a look in the Vuln-dev or other archives and see how many
vulnerabilities revolve around using execvp() instead of the short-forms
of the exec() system call.

The user of Evo may not the the owner or administrator of the machine.

has anyone run one of the basic tools for checking the source of Evo for
the plethora of classical security coding risks?

/anton

Follow-Ups:
- Re: [Evolution] PGP -> execvp() : Security problems?
  - From: Jeffrey Stedfast

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]