python-gnupg audit

instream is apparently a file descriptor, but is not checked nor encased in a try/except block.

while True: loop, should be

with open(instream) as instrm:

except: 

should catch an IOError, or whatever specific error is raised for broken pipes.

this just wraps self._copydata in a thread

logger writes passphrase into debug log. this should be patched.

Verify.__init__(self,gpg)

should be changed to:

super(Verify, self).__init__(gpg)

if gnupghome and not os.path.isdir(self.gnupghome):
    os.makedirs(self.gnupghome,0x1C0)

In [20]: os.makedirs?
Type:       function
String Form:<function makedirs at 0x7f8ddeb6cc08>
File:       /usr/lib/python2.7/os.py
Definition: os.makedirs(name, mode=511)
Docstring:
makedirs(path [, mode=0777])
Super-mkdir; create a leaf directory and all intermediate ones.
Works like mkdir, except that any intermediate path segment (not
just the rightmost) will be created if it does not exist.  This is
recursive.

setting mode=0x1c0 is equivalent to mode=hex(0700), which
may cause bugs on some systems, see
http://ubuntuforums.org/showthread.php?t=2044879

this could be do to the complete lack of input validation in
os.makedirs, and it's calling of the os.mkdir() built-in, which
may vary depending on the python compilation:

Source:
def makedirs(name, mode=0777):
    """makedirs(path [, mode=0777])

    Super-mkdir; create a leaf directory and all intermediate ones.
    Works like mkdir, except that any intermediate path segment (not
    just the rightmost) will be created if it does not exist.  This is
    recursive.
    """
    head, tail = path.split(name)
    if not tail:
        head, tail = path.split(head)
    if head and tail and not path.exists(head):
        try:
            makedirs(head, mode)
        except OSError, e:
            # be happy if someone already created the path
            if e.errno != errno.EEXIST:
                raise
        if tail == curdir:           # xxx/newdir/. exists if xxx/newdir exists
            return
    mkdir(name, mode)

cmd.extend(args)

cmd is a list of strings, eventually joined with cmd=' '.join(cmd), and the args are unvalidated in this function. Then this concatenation of args is fed directly into subprocess.Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE). THIS SHOULD BE PATCHED.

p = self._open_subprocess(args, passphrase is not None)

you shouldn't assign or type check in a function call

calls self._{makebinarystream}(), which leaves the file descriptor for the encoded message to be encrypted hanging between scopes.

if detach:
    args.append("--detach-sign")
elif clearsign:
    args.append("--clearsign")

the logic here allows that if a user erroneously specifies both options, rather than doing what the system gnupg would do (that is, do –clearsign, and ignore the –attach-sign), python-gnupg would ignore both.

input 'args' into self._{opensubprocess}() is defined as static strings.

same hanging file descriptor problem as in self.sign()

more potentially hanging file descriptors…

oh look, another hanging file descriptor. imagine that.

args.append('"%s"' % data_filename)

well, there's the exploit. see included POC script.

this function could potentially allow an attacker with a GPG exploit to use it, because it passes key generation parameter directly into the internal packet parsers of GPG. however, without a GPG exploit for one of the GPG packet parsers (for explanation of GPG packets look into pgpdump), this function alone is not exploitable.

args.extend(keyids)

args problem again. exploitable though parameter ``keyids``.

args is static string.

args, passed to self._handleio(), which in turn passes args directly to Popen(), is set to a static string. this function is halfway okay, though it really could be more careful with the ``input`` parameter.

this function could potentially allow an attacker with a GPG exploit to use it, because it passes key generation parameter directly into the internal packet parsers of GPG. however, without a GPG exploit for one of the GPG packet parsers (for explanation of GPG packets look into pgpdump), this function alone is not exploitable.

several of the inputs to this function are unvalidated, turned into strings, and passed to Popen(). exploitable.

exploitable, passes kwargs to self.encrypt_file()

kwargs are passed to self.decrypt_file(), unvalidated, making this function also exploitable

unvalidated user input: this function is also exploitable