Date: Sun, 31 May 2015 21:52:45 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: Enrico Zini <enrico@...icozini.org>, oss-security@...ts.openwall.com Subject: Re: [CVE-2015-0839] hp-plugin binary driver verification On Fri 2015-05-29 09:00:35 -0400, Enrico Zini wrote: > I was forced to run hp-plugin to download a binary driver for the new > printer, and I noticed this bit: > > Downloading plug-in from: > Receiving digital keys: /usr/bin/gpg --homedir /home/enrico/.hplip/.gnupg --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9 > Creating directory plugin_tmp > Verifying archive integrity... All good. > > The use of a short key ID worries me, because it is now trivial to > generate keys with arbitrary key IDs, and gpg --recv-keys will happily > download all those it finds. Also, pgp.mit.edu is a keyserver where > everyone can upload arbitrary keys. > > You can run "gpg --recv 70096AD1" to play with multiple keys having the > same key ID. > > I assume hp-plugin is open to downloading and verifying plugins signed > by any key that one can verify that have that short key ID, and that > with that and some fiddling with DNS one can cause systems running > hp-plugin to download and run malicious code. > > A quick fix would be to use the full fingerprint instead of the key id. A better quick fix would be to ship the authoritative key in hplip directly, and avoid all interaction with the keyservers. --dkg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ