[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87ek1wkgxe.fsf__31363.8640837327$1140539648$gmane$org@wheatstone.g10code.de>
Date: Tue, 21 Feb 2006 13:57:49 +0100
From: Werner Koch <wk@...pg.org>
To: Marcus Meissner <meissner@...e.de>
Cc: gnupg-devel@...pg.org, bugtraq@...urityfocus.com
Subject: Re: Not completely fixed?
On Mon, 20 Feb 2006 17:14:52 +0100, Marcus Meissner said:
> While files with other content report:
> $ gpg -o xx xx.any
> gpg: no valid OpenPGP data found.
> gpg: processing message failed: eof
> $ echo $?
> 2
> $
Just to explain this one: The code uses a heuristic to test whether it
is a binary or armored messages. If it decided that it is armored,
the de-armoring code is run and that one will eventually complain that
this does not look like OpenPGP. We added this diagnostic quite some
time ago on because too often garbled armored messages led to user
confusion.
The thing with binary messages is that gpg will happily parse them if
they look like an OpenPGP packets and only terminate with an error if
they don't. It is easy to make up OpenPGP data without any actual
use. Minor changes in the parser may change what gpg considers
acceptable. The exact semantics have never been defined, so I don't
considere this a bug. gpg is not a OpenPGP packet validator.
Changing that now will probably break more things than do any good.
There are a few non-security related issues with the last update; we
are right now sorting them out.
Shalom-Salam,
Werner
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists