Date: Mon, 1 Sep 2014 20:33:20 +0200 From: Thijs Kinkhorst <thijs@...ian.org> To: oss-security@...ts.openwall.com Cc: Werner Koch <wk@...pg.org>, pkg-gnupg-maint@...ts.alioth.debian.org Subject: gpg blindly imports keys from keyserver responses All, Stefan Tomanek reported to Debian that GnuPG accepts any key as a response from a keyserver, regardless of whether that key was actually requested: https://bugs.debian.org/725411 There's some discussion about the issue; we believe that the primary way to verify key ownership is still the web of trust and manual fingerprint verification. It is however argued that as a user, requesting keys based on specifying the full fingerprint is a safe way to retreive a key for a known- good fingerprint. But this argument is again somewhat countered by an attack on V3 keys which allows generating such fingerprints, making such a request dubious again. All in all, the safe choice seems to be to patch this issue, so Debian will release updates for it. It has been fixed upstream in GnuPG 1.4.17 with this commit: http://git.gnupg.org/cgi- bin/gitweb.cgi?p=gnupg.git;a=commit;h=5230304349490f31aa64ee2b69a8a2bc06bf7816 I'll leave it to the numbering authorities whether this is something that should get a CVE id. Cheers, Thijs Kinkhorst Debian Security Team Download attachment "signature.asc " of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.