CVE-2024-25711: Diffoscope uses dangerous `gpg` option `--use-embedded-filename`
diffoscope/comparators/pgp.py
invokes gpg
with --use-embedded-filename
.
When invoked this way, gpg
is willing to try to write to any embedded filename. It's not hard to make a zipfile that contains a dozen *.pgp
files, each of which targets a different username, like /home/joe/.ssh/authorized_keys
, /home/dkg/.ssh/authorized_keys
, etc. If any one of those usernames is the current user's username, and they have an ~/.ssh
homedir, that file will be created. (i'm sure there are other attacks based on writing arbitrary filenames, this is just one i've come up with off the top of my head)
One mitigating factor is that an attempt to overwrite an existing file will cause gpg to prompt the user whether it is ok to overwrite; that's still not great, though, as it's a surprising prompt.
GnuPG upstream says that --use-embedded-filename
is a bad idea:
In any case I suggest not to use this option and instead decrypt to a temporay file and then rename it to the embeded file name after checking that this file name is harmless. When using the --status-fd option gpg tells the filename as part of the PLAINTEXT status message.
Getting involved with the whole --status-fd
option, and trying to parse it, seems like a mess that is not worthwhile.
I think it would be safer to just drop gpg
entirely here and rely instead on something like sq packet dump --hex