duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Stream Vulnerability

From: Martin Pool
Subject: Re: [Duplicity-talk] Stream Vulnerability
Date: Sun, 31 Aug 2014 14:10:45 +0000
It will be vulnerable if it reads from gpg through a pipe and processes data as it goes. It will not be vulnerable if it lets gpg complete writing its output into a temp file or buffer, before parsing any of it.

On Sun Aug 31 2014 at 4:56:55 AM <address@hidden> wrote:
On 29.08.2014 23:30, Jonathan Brown wrote:
> Could anyone tell me if Duplicity is vulnerable to stream encryption vulnerabilities utilizing GPG? This blog post talks about issues affecting encryption that uses GPG and I would like to know if there is any reason to be concerned. Thanks
>
> https://www.imperialviolet.org/2014/06/27/streamingencryption.html <mailto:address@hiddenorg>
>
>

it's unclear to me how an attacker might use this vulnerability in case of duplicity. can you give an example?

generally duplicity has all flaws of gpg. volumes/files are created by piping them into a gpg process and using the resulting encrypted files.

..ede/duply.net

_______________________________________________
Duplicity-talk mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
reply via email to
[Prev in Thread] Current Thread [Next in Thread]