GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM

Bug #1409117 reported by devd on 2015-01-09
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GnuPG
Fix Released
Unknown
gnupg (Debian)
Fix Released
Unknown
gnupg (Ubuntu)
Undecided
Unassigned
Lucid
Wishlist
Marc Deslauriers
Precise
Wishlist
Marc Deslauriers
Trusty
Wishlist
Marc Deslauriers
Utopic
Wishlist
Marc Deslauriers
Vivid
Undecided
Unassigned
gnupg2 (Ubuntu)
Undecided
Unassigned
Lucid
Wishlist
Marc Deslauriers
Precise
Wishlist
Marc Deslauriers
Trusty
Wishlist
Marc Deslauriers
Utopic
Undecided
Unassigned
Vivid
Undecided
Unassigned

Bug Description

The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and should be backported to 12.04; right now, it is not.

This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2 --recv-keys. See https://evil32.com/ for an example (the text that is striked out; the gpg2 package on 12.04 is still vulnerable).

Marc Deslauriers (mdeslaur) wrote :

Fixed in 2.0.24 and 1.4.17.

information type: Private Security → Public Security
Changed in gnupg2 (Ubuntu Utopic):
status: New → Fix Released
Changed in gnupg2 (Ubuntu Vivid):
status: New → Fix Released
Changed in gnupg (Ubuntu Vivid):
status: New → Fix Released
Changed in gnupg (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Wishlist
status: New → Confirmed
Changed in gnupg (Ubuntu Precise):
importance: Undecided → Wishlist
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnupg (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Wishlist
status: New → Confirmed
Changed in gnupg (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Wishlist
status: New → Confirmed
Changed in gnupg2 (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Wishlist
status: New → Confirmed
Changed in gnupg2 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Wishlist
status: New → Confirmed
Changed in gnupg2 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Wishlist
status: New → Confirmed
devd (dbun6u) wrote :

gpg is commonly used for verifying signatures before installing packages and is how you would get packages from Launchpad too, right? forgive me, but maybe wishlist is too low a importance? Obviously, your call and I am not experienced with the project here, but I really think this should be backported soon.

Marc Deslauriers (mdeslaur) wrote :

apt-add-repository validates that the key that was downloaded is the right one before importing it, it doesn't blindly trust the key that gpg downloaded from the keyserver.

This is wishlist simply because it's security hardening. I will include it in the next gnupg security upload.

devd (dbun6u) wrote :

aah makes sense. thanks.

Changed in gnupg:
status: Unknown → Fix Released
Changed in gnupg (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg - 1.4.16-1.2ubuntu1.2

---------------
gnupg (1.4.16-1.2ubuntu1.2) utopic-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.patch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: sidechannel attack on Elgamal
    - debian/patches/CVE-2014-3591.patch: use ciphertext blinding in
      cipher/elgamal.c.
    - CVE-2014-3591
  * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
    - debian/patches/CVE-2015-0837.patch: avoid timing variations in
      include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c.
    - CVE-2015-0837
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in g10/apdu.c, g10/app-openpgp.c,
      g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c,
      g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c,
      g10/trustdb.c, include/host2net.h.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:21:50 -0400

Changed in gnupg (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg - 1.4.16-1ubuntu2.3

---------------
gnupg (1.4.16-1ubuntu2.3) trusty-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.patch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: sidechannel attack on Elgamal
    - debian/patches/CVE-2014-3591.patch: use ciphertext blinding in
      cipher/elgamal.c.
    - CVE-2014-3591
  * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
    - debian/patches/CVE-2015-0837.patch: avoid timing variations in
      include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c.
    - CVE-2015-0837
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in g10/apdu.c, g10/app-openpgp.c,
      g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c,
      g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c,
      g10/trustdb.c, include/host2net.h.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:22:48 -0400

Changed in gnupg (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.0.22-3ubuntu1.3

---------------
gnupg2 (2.0.22-3ubuntu1.3) trusty-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.patch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in common/iobuf.c, g10/build-packet.c,
      g10/getkey.c, g10/keyid.c, g10/main.h, g10/misc.c,
      g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h,
      kbx/keybox-dump.c, kbx/keybox-openpgp.c, kbx/keybox-search.c,
      kbx/keybox-update.c, scd/apdu.c, scd/app-openpgp.c,
      scd/ccid-driver.c, scd/pcsc-wrapper.c, tools/ccidmon.c.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:18:55 -0400

Changed in gnupg2 (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg - 1.4.11-3ubuntu2.9

---------------
gnupg (1.4.11-3ubuntu2.9) precise-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.dpatch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.dpatch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.dpatch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.dpatch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.dpatch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: sidechannel attack on Elgamal
    - debian/patches/CVE-2014-3591.dpatch: use ciphertext blinding in
      cipher/elgamal.c.
    - CVE-2014-3591
  * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
    - debian/patches/CVE-2015-0837.dpatch: avoid timing variations in
      include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c.
    - CVE-2015-0837
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.dpatch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.dpatch: use inline functions to convert
      buffer data to scalars in g10/apdu.c, g10/app-openpgp.c,
      g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c,
      g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c,
      g10/trustdb.c, include/host2net.h.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:24:00 -0400

Changed in gnupg (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.0.17-2ubuntu2.12.04.6

---------------
gnupg2 (2.0.17-2ubuntu2.12.04.6) precise-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.patch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in common/iobuf.c, g10/build-packet.c,
      g10/getkey.c, g10/keygen.c, g10/keyid.c, g10/main.h, g10/misc.c,
      g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h,
      kbx/keybox-dump.c, kbx/keybox-openpgp.c, kbx/keybox-search.c,
      kbx/keybox-update.c, scd/apdu.c, scd/app-openpgp.c,
      scd/ccid-driver.c, scd/pcsc-wrapper.c, tools/ccidmon.c.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:20:03 -0400

Changed in gnupg2 (Ubuntu Precise):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Lucid is near end-of-life, we're not going to be fixing this.

Changed in gnupg (Ubuntu Lucid):
status: Confirmed → Won't Fix
Changed in gnupg2 (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.