oss-security - Re: Re: Travis CI MITM RCE

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Wed, 31 Oct 2018 15:29:15 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Travis CI MITM RCE

* Daniel Kahn Gillmor <dkg@...thhorseman.net>, 2018-10-29, 08:52:
>>My proposed fix was to use "gpg --recv-key" with full fingerprint. But 
>>I now discovered that even this is not resistant against MitM attacks:
>>
>>https://dev.gnupg.org/T3398
>>
>>"[...] modern gpg automatically applies an import screener that only 
>>accepts OpenPGP certificates that have the given fingerprint [...]
>
>It may be even worse than this, because the version of gpg used by 
>default in travis is not "modern gpg", it's either gnupg2 
>2.0.22-3ubuntu1.4 or gnupg 1.4.16-1ubuntu2.6.  I don't think either of 
>these has the baseline "import screener" functionality

Ubuntu Precise and later releases have the import screener backported to 
gnupg(2) packages:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1409117

-- 
Jakub Wilk

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.