Hi,
Thanks for the report.
On Thursday 28 January 2021 05:59:01 CET Hoàng Cường wrote:
> I discovered security vulnerabilities in Kleopatra , tested on Kleopatra
> Version 3.1.8-gpg4win-3.1.10.latest update.
>
> #sumary:
> - Unquoted program path in Kleopatra allows local users to execute
> arbitrary code, via execution and from a compromised folder.
Not really a Kleopatra issue but GpgEX (just for the record as kde@xxxxxxx is
in CC).
> #Description
> - Kleopatra allows local users to execute arbitrary code. if file
> C:\program.exe exists, it will be executed.
Ok, its a bug but I don't think this is really a security isse as an execution
prevention that blocks unknown binaries from beeing executed is not bypassed
and on default windows the creation of a file in c:\ requires administrative
privileges. But I see that it can be an issue with non default installation
paths.
I can reproduce it with the latest version and I have seen similar issues with
create process in the past. The issue for this is now https://dev.gnupg.org/
T5272 and I'll fix it before the next release.
Best Regards,
Andre
--
GnuPG.com - a brand of g10 Code, the GnuPG experts.
g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.
GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf
Vorstand: W.Koch, B.Reiter, A.Heinecke Mail: board@xxxxxxxxx
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702
