Re: [Evolution] PGP -> execvp() : Security problems?

[Jeffrey Stedfast <fejj ximian com>]

On Tue, 2002-11-12 at 19:08, Anton Aylward wrote:
> On Tue, 2002-11-12 at 17:40, Jeffrey Stedfast <fejj ximian com> wrote:
>
> > Subject: Re: [Evolution] Evolution-1.2 vs pgp encryption
> > To: Stacey Roberts <stacey Demon vickiandstacey com>
> > Cc: evolution ximian com
> >
> > Evolution no longer supports anything other than gnupg.
> >
> > Why not? because I rewrote the pgp backend code to be much more robust
>
> > [snip]
>
> > We now just use execvp() and let
> > the shell find the pgp binary for us. It makes the UI oh so much simpler
> > for the average user.
>
> Indeed it does for the class of users who don't know about PGP.  I would
> think that anyone who is smart enough to handle gnupgp - set it up,
> handle keyrings and so forth - can use "which".  But that's not my
> point.

you would *think*, but be proved wrong... unfortunately.

> My point is the use of execvp().

this is the same as issuing "gpg" in your shell.

> Take a look in the Vuln-dev or other archives and see how many
> vulnerabilities revolve around using execvp() instead of the short-forms
> of the exec() system call.

Yes, because we all know everyone invokes an application by providing
the full path to the binary.

I type /usr/bin/gpg *all* the time

</sarcasm>

sure, maybe it's a risk if you blindly trust your shell environment, but
guess what? you can setup your PATH environment to not include
directories that you feel are risky (ie, don't include ".").

> The user of Evo may not the the owner or administrator of the machine.

this is not assumed.

> has anyone run one of the basic tools for checking the source of Evo for
> the plethora of classical security coding risks?

no.

Jeff

-- 
Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
fejj ximian com  - www.ximian.com