1997-11-15 - Re: auto signing messages Re: perl from Amad3us

Header Data

From: nobody@REPLAY.COM (Anonymous)
To: cypherpunks@ssz.com
Message Hash: e21e655326024e4fb342972348b02d35397170e6ba80a06207673cf06ef21ce4
Message ID: <199711152003.VAA10615@basement.replay.com>
Reply To: N/A
UTC Datetime: 1997-11-15 20:16:25 UTC
Raw Date: Sun, 16 Nov 1997 04:16:25 +0800

Raw message

From: nobody@REPLAY.COM (Anonymous)
Date: Sun, 16 Nov 1997 04:16:25 +0800
To: cypherpunks@ssz.com
Subject: Re: auto signing messages Re: perl from Amad3us
Message-ID: <199711152003.VAA10615@basement.replay.com>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

Antonomasia says:
> excerpt from Amad3us' script:
> >  #!/usr/local/bin/perl
> >  $userID="cypherpunks\@algebra.com";
> >  $pgp="/usr/local/bin/pgp";
> >  $tmp="/tmp/.sig$$";
> >  undef($/);
> >  $post = <STDIN>;
> >  ($headers,@body) = split(/\n\n/,$post);$body = join("\n\n",@body);
> >  open(PIPE,"|$pgp -satf +batchmode +verbose=0 -u $userID > $tmp");
> 
> Real paranoiacs don't put temporary files in world-writeable directories.
> 
> If a hostile user symlinks your majordomo binary (or something)
> to /tmp/.sig999 you're going to overwrite it with garbage.

Sure.  But have you looked at pgp2 source code? (smirks).

(Hint, temporary files all over the place.)

Amad3us

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i

iQCVAwUBNG39iPKMuKFNFivhAQEYuwP/Q5nWBocRDlwVWCppBnI6g+kryko8YGJO
PnEQU+ZeTXFtnBlhpylzaz4XX2hx5cfVUtmU+EZ6GsKdu/5ALV7JWZfpRQ7LLY0n
kY0xiCDRn5binhXXuMXAJIu6y47KyXgrFQKQWZm7sgAF0p6PCbajMwPUiJEWKpWe
TGlzJNCp7OE=
=w4G3
-----END PGP SIGNATURE-----






Thread