Skip to content

CVE-2024-25711: Diffoscope uses dangerous `gpg` option `--use-embedded-filename`

diffoscope/comparators/pgp.py invokes gpg with --use-embedded-filename.

When invoked this way, gpg is willing to try to write to any embedded filename. It's not hard to make a zipfile that contains a dozen *.pgp files, each of which targets a different username, like /home/joe/.ssh/authorized_keys, /home/dkg/.ssh/authorized_keys, etc. If any one of those usernames is the current user's username, and they have an ~/.ssh homedir, that file will be created. (i'm sure there are other attacks based on writing arbitrary filenames, this is just one i've come up with off the top of my head)

One mitigating factor is that an attempt to overwrite an existing file will cause gpg to prompt the user whether it is ok to overwrite; that's still not great, though, as it's a surprising prompt.

GnuPG upstream says that --use-embedded-filename is a bad idea:

In any case I suggest not to use this option and instead decrypt to a temporay file and then rename it to the embeded file name after checking that this file name is harmless. When using the --status-fd option gpg tells the filename as part of the PLAINTEXT status message.

Getting involved with the whole --status-fd option, and trying to parse it, seems like a mess that is not worthwhile.

I think it would be safer to just drop gpg entirely here and rely instead on something like sq packet dump --hex

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information