Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 31 May 2015 21:52:45 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: Enrico Zini <enrico@...icozini.org>, oss-security@...ts.openwall.com
Subject: Re: [CVE-2015-0839] hp-plugin binary driver verification

On Fri 2015-05-29 09:00:35 -0400, Enrico Zini wrote:
> I was forced to run hp-plugin to download a binary driver for the new
> printer, and I noticed this bit:
>
>   Downloading plug-in from:
>   Receiving digital keys: /usr/bin/gpg --homedir /home/enrico/.hplip/.gnupg --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9
>   Creating directory plugin_tmp
>   Verifying archive integrity... All good.
>
> The use of a short key ID worries me, because it is now trivial to
> generate keys with arbitrary key IDs, and gpg --recv-keys will happily
> download all those it finds. Also, pgp.mit.edu is a keyserver where
> everyone can upload arbitrary keys.
>
> You can run "gpg --recv 70096AD1" to play with multiple keys having the
> same key ID.
>
> I assume hp-plugin is open to downloading and verifying plugins signed
> by any key that one can verify that have that short key ID, and that
> with that and some fiddling with DNS one can cause systems running
> hp-plugin to download and run malicious code.
>
> A quick fix would be to use the full fingerprint instead of the key id.

A better quick fix would be to ship the authoritative key in hplip
directly, and avoid all interaction with the keyservers.

          --dkg

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ